Is araa47/ez-unifi safe?

https://github.com/openclaw/skills/tree/main/skills/araa47/ez-unifi

87
SAFE

ez-unifi is a well-structured, transparent UniFi network management CLI with no malicious behavior detected. The skill code is clean Python with no injection attempts, no exfiltration to third-party endpoints, and a standard install that only contacted GitHub. The primary risks are architectural rather than malicious: the skill collects Super Admin credentials for critical network infrastructure, disables TLS verification, and exposes a raw API passthrough — all of which are reasonable design choices for a LAN management tool but represent a large blast radius if the agent session is later compromised.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 84/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 98/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Super Admin credential collection with full network control scope -18

The skill explicitly instructs the agent to walk users through creating a Super Admin account and collecting the credentials into .env. While this is necessary for the stated functionality, it means the agent session holds credentials capable of blocking any device, modifying firewall rules, changing WiFi passwords, and triggering firmware upgrades on all network equipment.

MEDIUM Raw API passthrough allows arbitrary controller requests -12

The 'raw' subcommand accepts arbitrary HTTP method, path, and JSON body and relays them directly to the UniFi controller. A compromised or prompt-injected agent could use this to enumerate all endpoints, extract full client lists with MAC/IP/hostname, or make undocumented API calls not exposed by the named subcommands.

LOW Runtime dependency auto-download via uv inline script metadata -8

The PEP 723 inline dependency block causes uv to download aiounifi>=88, aiohttp>=3.9.0, and python-dotenv>=1.0.0 from PyPI at first execution. If the PyPI package index or any of these packages were compromised, the agent would execute attacker-supplied code without any additional user interaction.

LOW TLS certificate verification disabled -6

ssl_context=False skips certificate validation when connecting to the UniFi controller. On networks where an attacker could intercept traffic (compromised router, rogue AP, or ARP spoofing), controller credentials and session tokens would be transmitted in a channel vulnerable to MitM interception.

INFO Clean install — single GitHub connection only 0

The install made exactly one outbound HTTPS connection to GitHub (140.82.121.4:443) for a shallow sparse-checkout. No other external hosts were contacted. No persistent services, listeners, or background processes were left behind.

INFO Pre-clone canary reads attributed to audit infrastructure 0

Filesystem events showed .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were opened at timestamp 1771651595 — approximately 5 seconds before the git clone began at 1771651600. This timing is consistent with the audit system performing its initial honeypot baseline capture, not skill-initiated access. No content changes or network exfiltration of canary data was detected.