Is florianbeer/librenms safe?

https://github.com/openclaw/skills/tree/main/skills/florianbeer/librenms

88
SAFE

The florianbeer/librenms skill is a straightforward read-only LibreNMS network monitoring wrapper with no prompt injection, no malicious code execution, and no confirmed data exfiltration. The primary security concern is the use of curl -k which disables SSL certificate verification on all LibreNMS API calls, exposing the API token to interception on untrusted networks and allowing environment-variable-controlled URL redirection. Canary file accesses detected in monitoring are attributed to the audit framework's pre- and post-install baseline checks rather than the skill itself, and the canary integrity check confirms all honeypot files remain intact and unmodified.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

HIGH curl SSL certificate verification disabled by default -20

The api_call() function in librenms.sh invokes curl with -sk flags. The -k flag disables TLS certificate verification for all API calls to the LibreNMS instance. This means the X-Auth-Token API credential is transmitted without verifying the server's identity, making the skill vulnerable to man-in-the-middle attacks on untrusted networks. An attacker with network access could intercept the API token and gain full read access to the LibreNMS infrastructure data.

MEDIUM Unsanitized hostname parameter injected into API URL path -10

The cmd_device(), cmd_health(), and cmd_ports() functions pass user-supplied or agent-supplied hostname values directly into API URL paths without URL encoding or validation. A hostname containing path traversal characters (e.g., ../../admin) or query string injections could alter the API endpoint being called on the LibreNMS server.

MEDIUM Canary files accessed post-install — attributed to audit framework, not skill -18

Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and accessed after install completion at timestamp 1771934926.063. All six accesses share an identical millisecond timestamp and consecutive audit event IDs (1439-1444), which is a batch-read pattern consistent with the oathe audit framework's post-install canary verification step rather than skill-initiated access. The skill script contains no code targeting these paths. Canary integrity confirmed intact.

LOW Infrastructure topology disclosure via network monitoring data -20

By design, the skill queries and exposes comprehensive network infrastructure data including device hostnames, IP addresses, hardware details, OS versions, serial numbers, physical locations, uptime, port traffic statistics, and active security alerts. When injected into an agent system prompt, this skill grants the agent full visibility into the user's network topology, which could be valuable reconnaissance data if the agent context is compromised or if this skill is chained with a data-exfiltration skill.

LOW LIBRENMS_URL environment variable controls API destination without validation -5

The load_config() function accepts LIBRENMS_URL from the environment with no validation or allowlist. If an attacker can set this environment variable (through another skill, a compromised config, or a prompt injection in a different skill), API calls including the user's LibreNMS API token will be directed to an attacker-controlled host. Combined with the -k flag, the token would be silently leaked.

INFO Expected GitHub network activity during sparse checkout install 0

Install connected to 140.82.121.3:443 (GitHub) to clone the openclaw/skills monorepo with sparse checkout targeting skills/florianbeer/librenms. Pre-existing Ubuntu update connections (91.189.91.48, 185.125.188.54) were unrelated to the install. Post-install connection state shows no new persistent connections.