Mikrotik Routeros
v2.0.4Expert-level management of MikroTik RouterOS devices and VSOL GPON OLTs via SSH or RouterOS API (port 8728/8729) and REST API (port 80/443). Use this skill w...
⭐ 0· 79·0 current·0 all-time
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (MikroTik + VSOL OLT management) align with included files (RouterOS API client, SSH helper) and the reference docs. However the registry metadata claims no required env vars/binaries while SKILL.md declares ssh/sshpass and several MIKROTIK_*/OLT_* env vars — an incoherence between declared platform metadata and the runtime instructions.
Instruction Scope
SKILL.md instructs the agent to read ~/.openclaw/workspace/TOOLS.md and ~/.ssh keys, generate SSH keypairs on the agent machine, and to prefer env vars but shows TOOLS.md examples with plaintext passwords. The included Python script explicitly reads TOOLS.md and returns host/user/password, which can expose credentials if the file contains secrets. The skill also recommends fetching external RouterOS scripts (rsc.eworm.de) and using external notification endpoints (Telegram, Evolution API) — legitimate for functionality but increases the attack surface and requires auditing of those external resources.
Install Mechanism
No install spec (instruction-only) reduces install-time risk; code files are bundled with the skill and don’t auto-download during install. SKILL.md suggests pip3 install routeros-api (and references external script sources) which would change the runtime environment if followed. Overall install mechanism is low-friction but the skill's instructions can lead users to pull external code at runtime, which should be audited.
Credentials
Requested credentials (MIKROTIK_HOST/USER/PASS/KEY and optional OLT credentials) are appropriate for device management. However: (1) registry metadata does not declare these env vars (incoherent); (2) SKILL.md suggests storing device credentials in TOOLS.md (plaintext example present), and the Python client will parse that file — this is a disproportionate risk to local secrets if the file contains unrelated credentials or if policies expect secrets elsewhere; (3) ssh-key generation on the agent host implies writing to ~/.ssh, which is sensitive filesystem access.
Persistence & Privilege
always:false and no indication the skill modifies other skills or global agent settings. The skill can be invoked autonomously (default), which is expected for tools that manage network devices; because it can execute commands on infrastructure devices, users should be cautious about granting it autonomous invocation without restrictions, but there is no explicit overreach in persistence.
What to consider before installing
This skill appears to implement genuine MikroTik/OLT management functionality, but several red flags deserve attention before use:
- Metadata mismatch: the registry entry lists no required env vars or binaries, but SKILL.md requires ssh/sshpass and multiple MIKROTIK_/OLT_ env vars — ask the publisher to correct metadata or explain why they differ.
- Credentials & file access: the bundled Python client reads ~/.openclaw/workspace/TOOLS.md and will extract host/user/password; do not store unrelated secrets or production credentials in that file. Prefer providing credentials via environment variables or a secure secret store, and avoid putting passwords in plaintext in TOOLS.md.
- SSH key generation and ~/.ssh access: the instructions recommend generating keys on the agent host and adding them to ~/.ssh; only allow this if you trust the execution environment and have isolated key usage (use dedicated management accounts/keys, not personal machine keys).
- External downloads: the skill recommends pulling scripts from rsc.eworm.de and using external notification services (api.telegram.org, Evolution API). Audit any external scripts before deploying them to devices and verify endpoints are trustworthy and signed where possible.
- Confirm destructive safeguards: the SKILL.md promises 'confirm destructive ops', but verify the agent actually prompts before running remove/reboot/config-change commands and that it uses least-privilege device accounts.
If you decide to use the skill: run it in a restricted environment first, review the included files (scripts/mikrotik_api.py and ssh-exec.sh) line-by-line, avoid storing production credentials in TOOLS.md, prefer SSH key auth with a dedicated management key, and require manual confirmation for any changes that write or reboot devices. Provide the publisher/homepage or a signed release if you need higher assurance; lack of a known author/homepage lowers confidence.Like a lobster shell, security has layers — review code before you run it.
cgnatfailovergponisplatestmikrotikoltpppoerouteros
MikroTik RouterOS + VSOL OLT Skill
Expert-level management of MikroTik RouterOS devices and VSOL GPON OLTs. Supports three access methods: SSH CLI, RouterOS API (port 8728), and REST API (port 443). Covers ISP-grade infrastructure: PPPoE, CGNAT, RADIUS, VLAN, OSPF, BGP, VRRP, firewall, queues, OLT/ONT provisioning, failover scripts, and WhatsApp/Telegram notifications.
Access Method Selection
| Method | When to use | Port |
|---|---|---|
| SSH CLI | Interactive config, scripts, export/import | 22 |
| RouterOS API | Automation, programmatic reads/writes, Python scripts | 8728/8729 |
| REST API | Modern ROS 7.1+, curl/HTTP clients, no extra library | 80/443 |
Multi-Device Configuration
Via TOOLS.md (recommended for multi-device setups)
Add to ~/.openclaw/workspace/TOOLS.md:
### MikroTik Devices
- **router1**: 192.168.88.1, admin, senha
- **router2**: 192.168.88.2, admin, senha
- **olt**: 192.168.88.3, admin, admin
Via environment variables (single device)
export MIKROTIK_HOST=172.16.100.1
export MIKROTIK_USER=admin
export MIKROTIK_PASS=senha123
Priority: env vars > TOOLS.md > ask user
Connection Methods
SSH — preferred: key-based auth (no password in command line)
# Generate key once (on agent machine)
ssh-keygen -t ed25519 -f ~/.ssh/mikrotik_key -N ""
# Copy public key to router
ssh-copy-id -i ~/.ssh/mikrotik_key.pub admin@192.168.88.1
# Or paste manually: /user/ssh-keys/import public-key-file=key.pub user=admin
# Connect (no password exposure)
ssh -i ~/.ssh/mikrotik_key \
-o StrictHostKeyChecking=accept-new -o ConnectTimeout=10 \
admin@192.168.88.1 "/ip address print"
If SSH key is not available, use password via env var only — never hardcode:
sshpass -p "$MIKROTIK_PASS" ssh -o StrictHostKeyChecking=accept-new \ "$MIKROTIK_USER@$MIKROTIK_HOST" "/ip address print"
RouterOS API (Python)
pip3 install --break-system-packages routeros-api
import routeros_api, os
conn = routeros_api.RouterOsApiPool(
host=os.getenv('MIKROTIK_HOST'),
username=os.getenv('MIKROTIK_USER', 'admin'),
password=os.getenv('MIKROTIK_PASS', ''),
plaintext_login=True, # Required for ROS 6.43+
port=8728
)
api = conn.get_api()
resource = api.get_resource('/ip/address')
print(resource.get())
conn.disconnect()
REST API (curl — ROS 7.1+)
# Use env vars — never hardcode credentials
curl -u "$MIKROTIK_USER:$MIKROTIK_PASS" \
--cacert /path/to/router-cert.pem \
https://$MIKROTIK_HOST/rest/ip/address
# Dev/lab only (skip cert verify):
curl -k -u "$MIKROTIK_USER:$MIKROTIK_PASS" https://$MIKROTIK_HOST/rest/ip/address
See references/routeros-api.md for complete API reference.
Workflow (docs-first)
- Classify — SSH task, API automation, or OLT work?
- Check references — consult
references/before acting - Read before write — always print/get current state first
- Confirm destructive ops — show exact command, ask before remove/set/reboot
- Backup first —
/system backup savebefore major changes - Verify — read back after changes
Quick Command Reference
Diagnostics
/system resource print
/system identity print
/system routerboard print
/interface print stats
/ip address print
/ip route print
/ip neighbor print
/log print
/tool ping 8.8.8.8 count=5
/tool traceroute 8.8.8.8
/tool torch interface=ether1
Interfaces & VLANs
/interface print detail
/interface vlan add name=vlan500 vlan-id=500 interface=ether2
/interface bridge add name=br-wan protocol-mode=rstp
/interface bridge port add bridge=br-wan interface=ether2
# IMPORTANT: for queues on bridged/PPPoE/VLAN traffic:
/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes use-ip-firewall-for-pppoe=yes
PPPoE & ISP
/interface pppoe-server server add service-name=internet interface=vlan500 authentication=pap,chap
/ppp secret add name=user01 password=pass service=pppoe profile=plano-50M
/ppp active print
/ip pool add name=cgnat-pool ranges=100.65.62.0-100.65.63.255
/ppp profile add name=plano-50M local-address=100.64.0.1 remote-address=cgnat-pool use-radius=yes
NAT & Firewall
# masquerade (dynamic IP/PPPoE)
/ip firewall nat add chain=srcnat out-interface=pppoe-wan action=masquerade
# src-nat (static IP — CGNAT via loopback)
/ip firewall nat add chain=srcnat src-address=100.64.0.0/10 action=src-nat to-addresses=<loopback> out-interface=ether1-wan
# Flush conntrack after NAT changes:
/ip firewall connection remove [find]
# MSS clamping (mandatory for PPPoE):
/ip firewall mangle add chain=forward out-interface=pppoe-wan protocol=tcp tcp-flags=syn tcp-mss=1301-65535 action=change-mss new-mss=1300
RADIUS / MK-Auth
/radius add address=<mkauth-ip> secret=<secret> service=ppp timeout=3s
/ppp aaa set use-interim-update=yes interim-update=5m
BGP / OSPF (v7)
# BGP v7: peer-role mandatory
/routing bgp template set default as=65001
/routing bgp connection add name=transit remote.address=1.2.3.4/32 remote.as=65000 local.role=ebgp template=default
# OSPF v7
/routing ospf instance add name=ospf-main router-id=1.1.1.1
/routing ospf area add name=backbone area-id=0.0.0.0 instance=ospf-main
Backup & Export
/system backup save name=pre-change
/export compact
/export file=config-backup
Failover & Notifications
# Netwatch V6
/ip/netwatch/add host=8.8.8.8 interval=5s \
down-script=":global comentario \"LINK1\"; :global LinkState 0; /system script run FAILOVER_ACTIONS" \
up-script=":global comentario \"LINK1\"; :global LinkState 1; /system script run FAILOVER_ACTIONS"
# Netwatch V7 (execute{} obrigatório)
/ip/netwatch/add host=8.8.8.8 interval=5s \
down-script=":global comentario \"LINK1\"; :global LinkState 0; execute {/system script run FAILOVER_ACTIONS}" \
up-script=":global comentario \"LINK1\"; :global LinkState 1; execute {/system script run FAILOVER_ACTIONS}"
Scripts: FAILOVER_ACTIONS (Telegram + Google Sheets), FAILOVER_WPP (WhatsApp via Evolution API).
See references/failover-notifications.md for complete scripts and docker-compose.
Alternativa profissional:
netwatch-notifydo repositório eworm-de/routeros-scripts oferece threshold de contagem, dependência pai/filho, múltiplos canais e auto-atualização. Verreferences/eworm-scripts.md.
Critical Behaviors (from official docs)
- NAT: after rule changes →
/ip firewall connection remove [find] - Bridge queues: need
use-ip-firewall=yeson bridge - PPPoE: MSS clamping required (
change-mss new-mss=1300) - BGP v7:
peer-rolemandatory; useinput.accept-nlrifor RAM efficiency - Routing filter v7: default action = reject; use
"if (cond) { accept }" - Mangle: max 4096 unique packet marks
Safety Rules
- Never
/system reset-configurationwithout double confirmation - Never remove firewall input rules blindly — risk of SSH lockout
- Always export config before bulk changes
- Warn that PPPoE/NAT changes drop active sessions on live ISP routers
Reference Files
| File | Contents |
|---|---|
references/routeros-commands.md | Full CLI command reference (firewall, NAT, PPPoE, BGP, OSPF, scripting) |
references/routeros-api.md | RouterOS API + REST API — Python patterns + complete resource path table |
references/failover-notifications.md | Failover scripts + Telegram + WhatsApp (Evolution API) + Google Sheets |
references/eworm-scripts.md | eworm-de/routeros-scripts — netwatch-notify, backup, health, dhcp-to-dns, telegram-chat |
references/vsol-olt.md | VSOL V1600G-series OLT SSH management |
references/isp-stack.md | End-to-end ISP config: OLT → MikroTik → RADIUS |
scripts/ssh-exec.sh | SSH helper script |
scripts/mikrotik_api.py | Python API client (no external deps) |
Comments
Loading comments...