ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MikroTik API

v1.0.1

Manages MikroTik routers via the RouterOS API (port 8728/8729). Use when the user wants to configure, monitor, or troubleshoot a MikroTik router — including...

0· 133·1 current·1 all-time
byAffif Mukhlashin@bluemeda
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the instructions: the SKILL.md documents using the routeros-api Python library to manage RouterOS resources. Required credentials (host, username, password) and the operations described (read/add/set/remove/call) are exactly what a MikroTik management skill would need. Minor concern: the package/source provenance is missing (no homepage or source repo listed in metadata), which reduces auditability.
Instruction Scope
Instructions stay within the router management scope and only reference router credentials and API operations. They appropriately recommend env vars and disconnection. Notable security-relevant instructions: they set plaintext_login=True for compatibility and show use_ssl with ssl_verify=False and ssl_verify_hostname=False in the example — these weaken transport security and should be changed in production. The SKILL.md also suggests installing a package and provides a fallback to interactive input; it does not ask for unrelated files or other system credentials.
Install Mechanism
There is no registry install spec; the runtime doc instructs users to run pip3 install --break-system-packages routeros-api. That will pull code from PyPI (moderate risk). The SKILL.md does not pin a package version or provide checksums, and the --break-system-packages flag can alter system package boundaries — these are operational risks but not incoherent with the skill's function.
Credentials
The only credentials the documentation asks for are MIKROTIK_HOST, MIKROTIK_USERNAME, and MIKROTIK_PASSWORD — proportionate and expected. The skill does not request unrelated credentials, config paths, or broad system access.
Persistence & Privilege
The skill is instruction-only, always:false, and model invocation is not disabled (the normal default). It does not request permanent presence or modify other skills' configs. Autonomous invocation is allowed by platform default — this is expected for skills but note that an autonomously-invoked skill would have the ability to attempt network connections using provided credentials.
Assessment
This skill appears to do what it says (manage MikroTik RouterOS) and only needs the router host/user/password. Before installing or using it: (1) verify the routeros-api PyPI package and consider pinning a specific version or auditing its source; (2) avoid the insecure example defaults in the doc — prefer use_ssl=True with ssl_verify=True and avoid plaintext_login unless absolutely required by your router/version; (3) run installation in a controlled environment (virtualenv/container) rather than system Python, and do not use --break-system-packages unless you understand its effects; (4) use a least-privileged router account for API actions and rotate credentials after testing; and (5) be cautious because the skill metadata lacks a homepage or source repository — if possible, request provenance or source code before trusting it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a14wnn0zfkqx549nhpz6hvx832t18

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments