by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
What to check before installing:
- Metadata mismatch: the package metadata lists no required env vars/binaries, but the scripts need UNIFI_URL and UNIFI_API_KEY (or a config file) and the binaries curl and jq. Don't rely solely on the registry metadata—follow SKILL.md.
- Secrets: supply a read-only UniFi API key and keep it limited to Network read scope. The skill stores that key in ~/.clawdbot/credentials/unifi/config.json (SKILL.md recommends chmod 600) and caches API responses in ~/.clawdbot/...详细分析 ▾
ℹ 用途与能力
The skill's name and description (read-only UniFi Network access) align with the included scripts: all network inventory/health/clients/topology scripts use only GETs against the UniFi API. However the registry metadata declares no required env vars or binaries, but the SKILL.md and scripts require UNIFI_URL/UNIFI_API_KEY (or a config file) and runtime binaries (curl, jq). That metadata omission is an incoherence and should be corrected.
✓ 指令范围
Runtime instructions and scripts stay within the stated purpose: they only call UniFi API endpoints, read a local config (~/.clawdbot/credentials/unifi/config.json) for URL and API key, and write/read cache under ~/.clawdbot/cache/unifi/. Scripts are explicit about which endpoints are used and include a setup_test to validate endpoints. They do not attempt to read other system config or unrelated credentials.
✓ 安装机制
There is no install spec (no external downloads). All code is included in the package and scripts are executed directly. This is lower risk than remote installers; nothing in the files downloads arbitrary code from unknown hosts.
⚠ 凭证需求
The skill legitimately needs an API key and base URL (UNIFI_API_KEY, UNIFI_URL, optional UNIFI_SITE or config file). Those are appropriate and scoped to UniFi read-only access. The concern is that the registry metadata did not declare these required credentials or the primaryEnv, which is misleading. The skill writes raw API responses to local cache files (may contain sensitive information) and expects the user to create a config file containing the API key; the SKILL.md suggests chmod 600, which is good practice.
ℹ 持久化与权限
The skill persists data in ~/.clawdbot/cache/unifi/ and expects a credentials file at ~/.clawdbot/credentials/unifi/config.json. This is limited to its own directory (no system-wide changes) and always:false. Caching is intentional for efficiency but means API responses (including potentially sensitive device/client data) are stored on disk; the cache and config file locations are mutable via UNIFI_CONFIG_FILE and HOME.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/4
NULL
● Pending
安装命令
点击复制官方npx clawhub@latest install unifi-os
镜像加速npx clawhub@latest install unifi-os --registry https://cn.longxiaskill.com