Trust Assessment
jmagar/unifi-mcp:skills/unifi received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Potential Command Injection via Unsanitized Environment Variables in Shell Commands, Insecure SSL/TLS Communication (Data Exfiltration Risk), Insecure SSL/TLS Communication (Credential Harvesting Risk).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on May 20, 2026 (commit 949bec72). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Unsanitized Environment Variables in Shell Commands The 'HTTP Fallback Mode' section describes `curl` commands that directly interpolate environment variables (`$CLAUDE_PLUGIN_OPTION_UNIFI_CONTROLLER_URL`, `$CLAUDE_PLUGIN_OPTION_UNIFI_USERNAME`, `$CLAUDE_PLUGIN_OPTION_UNIFI_PASSWORD`) into a shell command. If these variables are not strictly sanitized by the execution environment or if a malicious actor can influence their values (e.g., by injecting shell metacharacters into the URL or credentials), it could lead to arbitrary command execution on the host system. Avoid direct interpolation of potentially untrusted or configurable variables into shell commands. Use a robust HTTP client library that handles parameterization securely, or ensure strict input validation and sanitization of all variables before they are used in shell contexts. | LLM | SKILL.md:79 | |
| MEDIUM | Insecure SSL/TLS Communication (Data Exfiltration Risk) The `curl` commands in the 'HTTP Fallback Mode' explicitly use the `-k` (insecure) flag, which disables SSL/TLS certificate verification. This vulnerability allows for Man-in-the-Middle (MITM) attacks, where an attacker could intercept and read all data exchanged with the UniFi controller, including sensitive network configuration and operational data, leading to unauthorized data exfiltration. Implement proper certificate validation. If self-signed certificates are necessary, configure the client to trust specific certificates or certificate authorities rather than disabling all SSL/TLS verification. | LLM | SKILL.md:81 | |
| MEDIUM | Insecure SSL/TLS Communication (Credential Harvesting Risk) The `curl` commands in the 'HTTP Fallback Mode' explicitly use the `-k` (insecure) flag, which disables SSL/TLS certificate verification. This vulnerability allows for Man-in-the-Middle (MITM) attacks, where an attacker could intercept the login request and harvest the UniFi controller username and password transmitted in plain text over the unverified connection. Implement proper certificate validation. If self-signed certificates are necessary, configure the client to trust specific certificates or certificate authorities rather than disabling all SSL/TLS verification. | LLM | SKILL.md:81 |
Scan History
Embed Code
[](https://skillshield.io/report/d45164207450a596)
Powered by SkillShield