Trust Assessment
unifi received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 2 high, 3 medium, and 1 low severity. Key findings include Sensitive path access: AI agent config, Sensitive environment variable access: $HOME, Insecure SSL/TLS for API calls (Credential Harvesting).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/jmagar/unifi/SKILL.md:19 | |
| HIGH | Insecure SSL/TLS for API calls (Credential Harvesting) The `curl` commands in `scripts/unifi-api.sh` use the `-k` or `--insecure` flag, which disables SSL/TLS certificate validation. This makes the communication vulnerable to Man-in-the-Middle (MITM) attacks. An attacker could intercept the login credentials (username/password) during the `unifi_login` call or the session cookie and API responses during subsequent `unifi_get` calls, compromising the confidentiality and integrity of the communication with the UniFi gateway. Remove the `-k` flag from all `curl` commands. Ensure the UniFi gateway uses a valid, trusted SSL certificate. If using a self-signed certificate, consider adding it to the system's trust store or providing a specific CA bundle to `curl` using `--cacert`. | LLM | scripts/unifi-api.sh:40 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jmagar/unifi/scripts/dashboard.sh:7 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jmagar/unifi/scripts/unifi-api.sh:6 | |
| MEDIUM | Debug dump of sensitive data to arbitrary location The `scripts/dashboard.sh` script creates a file named `dashboard_debug_dump.json` in the current working directory. This file contains a comprehensive dump of all fetched UniFi data, including health, devices, clients, port forwarding rules, firewall rules, networks, WLANs, alarms, routing, and system info. This data can be highly sensitive, revealing network topology, device details, client information (IPs, MACs, hostnames), and configuration. While intended for debugging, writing such a file to an arbitrary working directory without explicit user consent or clear cleanup mechanisms poses a risk. If the skill is executed in a shared or insecure environment, or if the file is not properly managed, this sensitive data could be exposed. Remove the debug dump functionality (`jq -n ... > dashboard_debug_dump.json`). If debugging is necessary, consider logging to a secure, temporary location with strict permissions, or only enabling it via an explicit, documented configuration option, and ensuring proper cleanup. | LLM | scripts/dashboard.sh:44 | |
| LOW | Hardcoded output path in user's home directory The `scripts/dashboard.sh` script hardcodes an output file path `"$HOME/clawd/memory/bank/unifi-inventory.md"`. While writing to the user's home directory is generally acceptable for user-specific data, hardcoding a specific path deep within a potentially shared `clawd/memory/bank` directory might be considered an overly broad or unexpected filesystem interaction for a skill. It assumes the existence of this directory structure and writes a file without explicit user configuration or confirmation. This could lead to unexpected file creation or potential conflicts if other skills also use similar hardcoded paths. Allow the user to configure the output path for inventory data, or prompt for confirmation before writing to a specific location. Alternatively, if this is intended as a skill-specific cache, ensure it's clearly documented and managed. | LLM | scripts/dashboard.sh:10 |
Scan History
Embed Code
[](https://skillshield.io/report/235aac77b02ac401)
Powered by SkillShield