by 安全扫描
OpenClaw
安全
high confidenceThe skill's instructions, required credentials, and actions are coherent with managing MikroTik RouterOS devices; the main issues are provenance (no source/homepage) and a few insecure default suggestions in the docs (plaintext login and SSL verification disabled).
评估建议
This skill appears to do what it says (manage MikroTik RouterOS) and only needs the router host/user/password. Before installing or using it: (1) verify the routeros-api PyPI package and consider pinning a specific version or auditing its source; (2) avoid the insecure example defaults in the doc — prefer use_ssl=True with ssl_verify=True and avoid plaintext_login unless absolutely required by your router/version; (3) run installation in a controlled environment (virtualenv/container) rather tha...详细分析 ▾
✓ 用途与能力
The name/description match the instructions: the SKILL.md documents using the routeros-api Python library to manage RouterOS resources. Required credentials (host, username, password) and the operations described (read/add/set/remove/call) are exactly what a MikroTik management skill would need. Minor concern: the package/source provenance is missing (no homepage or source repo listed in metadata), which reduces auditability.
ℹ 指令范围
Instructions stay within the router management scope and only reference router credentials and API operations. They appropriately recommend env vars and disconnection. Notable security-relevant instructions: they set plaintext_login=True for compatibility and show use_ssl with ssl_verify=False and ssl_verify_hostname=False in the example — these weaken transport security and should be changed in production. The SKILL.md also suggests installing a package and provides a fallback to interactive input; it does not ask for unrelated files or other system credentials.
ℹ 安装机制
There is no registry install spec; the runtime doc instructs users to run pip3 install --break-system-packages routeros-api. That will pull code from PyPI (moderate risk). The SKILL.md does not pin a package version or provide checksums, and the --break-system-packages flag can alter system package boundaries — these are operational risks but not incoherent with the skill's function.
✓ 凭证需求
The only credentials the documentation asks for are MIKROTIK_HOST, MIKROTIK_USERNAME, and MIKROTIK_PASSWORD — proportionate and expected. The skill does not request unrelated credentials, config paths, or broad system access.
✓ 持久化与权限
The skill is instruction-only, always:false, and model invocation is not disabled (the normal default). It does not request permanent presence or modify other skills' configs. Autonomous invocation is allowed by platform default — this is expected for skills but note that an autonomously-invoked skill would have the ability to attempt network connections using provided credentials.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/18
Update: Added instructions to use environment variables (MIKROTIK_HOST, MIKROTIK_USERNAME, MIKROTIK_PASSWORD) for secure connection.
● 可疑
安装命令
点击复制官方npx clawhub@latest install mikrotik-api
镜像加速npx clawhub@latest install mikrotik-api --registry https://cn.longxiaskill.com