unifi-advisor

Read-only UniFi network advisor covering the Site Manager cloud API and the Network Integration API. Query devices, clients, networks, firewall zones and policies, ACL rules, DNS policies, VPN tunnels, DPI, ISP metrics, and related UniFi state. Use when inspecting UniFi environments with GET-only operations and no writes.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "unifi-advisor" with this command: npx skills add arseni-mik/unifi-advisor

UniFi Network Advisor

Read-only skill covering two official UniFi API surfaces. All operations are GET-only — no writes, no mutations of any kind.

API surfaces

Everything goes through https://api.ui.com. No direct local connection required.

PrefixSurfaceProxied viaEnv vars needed
SMSite Managerapi.ui.com/v1/...UNIFI_API_KEY
NETNetwork Integrationapi.ui.com/v1/connector/consoles/{hostId}/proxy/network/integration/v1/...UNIFI_API_KEY (host/site resolved automatically)

How to call the script

python3 {baseDir}/scripts/unifi.py <subcommand> [--site SITE] [--id ID] [--limit N] [--next-token TOKEN] [subcommand-specific flags]

Some subcommands require additional flags — see the table below. Use python3 {baseDir}/scripts/unifi.py list to see all subcommands with descriptions.

Subcommands

Site Manager (SM) — cloud, single API key

SubcommandEndpointRequired flagsDescription
hostsGET /v1/hostsAll UniFi OS consoles on the UI account
hostGET /v1/hosts/{id}--idConsole details
sitesGET /v1/sitesAll sites across all consoles
cloud-devicesGET /v1/devicesAll devices across all sites
isp-metricsGET /ea/isp-metrics/{type}ISP performance metrics
sdwanGET /v1/sd-wan-configsSD-WAN configurations
sdwan-configGET /v1/sd-wan-configs/{id}--idSpecific SD-WAN config
sdwan-statusGET /v1/sd-wan-configs/{id}/status--idSD-WAN deployment status

Network Integration (NET) — proxied via api.ui.com, site resolved automatically

SubcommandEndpointRequired flagsDescription
infoGET /v1/infoController version and capabilities
net-sitesGET /v1/sitesSites managed by this console
devicesGET /v1/sites/{siteId}/devicesAdopted devices overview
deviceGET /v1/sites/{siteId}/devices/{id}--idDevice details
device-statsGET /v1/sites/{siteId}/devices/{id}/statistics/latest--idLatest device statistics
devices-pendingGET /v1/pending-devicesDevices pending adoption (console-scoped)
clientsGET /v1/sites/{siteId}/clientsConnected clients overview
clientGET /v1/sites/{siteId}/clients/{id}--idClient details
networksGET /v1/sites/{siteId}/networksNetworks overview
networkGET /v1/sites/{siteId}/networks/{id}--idNetwork details
network-refsGET /v1/sites/{siteId}/networks/{id}/references--idWhat references a specific network (devices, clients, WiFi)
wifiGET /v1/sites/{siteId}/wifi/broadcastsWiFi broadcast (SSID) overview
wifi-detailsGET /v1/sites/{siteId}/wifi/broadcasts/{id}--idWiFi broadcast details
firewall-zonesGET /v1/sites/{siteId}/firewall/zonesFirewall zones
firewall-zoneGET /v1/sites/{siteId}/firewall/zones/{id}--idFirewall zone details
firewall-policiesGET /v1/sites/{siteId}/firewall/policiesFirewall policies
firewall-policyGET /v1/sites/{siteId}/firewall/policies/{id}--idFirewall policy details
firewall-orderingGET /v1/sites/{siteId}/firewall/policies/ordering--from-zone --to-zonePolicy ordering between two zones
acl-rulesGET /v1/sites/{siteId}/acl-rulesACL rules
acl-ruleGET /v1/sites/{siteId}/acl-rules/{id}--idACL rule details
acl-orderingGET /v1/sites/{siteId}/acl-rules/orderingACL rule ordering
dns-policiesGET /v1/sites/{siteId}/dns/policiesDNS policies
dns-policyGET /v1/sites/{siteId}/dns/policies/{id}--idDNS policy details
traffic-listsGET /v1/sites/{siteId}/traffic-matching-listsTraffic matching lists
traffic-listGET /v1/sites/{siteId}/traffic-matching-lists/{id}--idTraffic matching list details
vouchersGET /v1/sites/{siteId}/hotspot/vouchersHotspot vouchers
voucherGET /v1/sites/{siteId}/hotspot/vouchers/{id}--idVoucher details
wansGET /v1/sites/{siteId}/wansWAN interfaces overview
vpn-tunnelsGET /v1/sites/{siteId}/vpn/site-to-site-tunnelsSite-to-site VPN tunnels
vpn-serversGET /v1/sites/{siteId}/vpn/serversVPN server configurations
radiusGET /v1/sites/{siteId}/radius/profilesRADIUS profiles
device-tagsGET /v1/sites/{siteId}/device-tagsDevice tags
dpi-categoriesGET /v1/dpi/categoriesDPI application categories
dpi-applicationsGET /v1/dpi/applicationsDPI applications
countriesGET /v1/countriesCountries list (for geo-IP rules)

Examples

# List all sites and pick one to work with
python3 {baseDir}/scripts/unifi.py library

# firewall-ordering: get zone IDs first, then query ordering between two of them
# --from-zone and --to-zone must be real UUIDs from the firewall-zones output
python3 {baseDir}/scripts/unifi.py firewall-zones --site hq
python3 {baseDir}/scripts/unifi.py firewall-ordering --site hq --from-zone <zoneId> --to-zone <zoneId>

# network-refs: get network list first, then query references for a specific network
python3 {baseDir}/scripts/unifi.py networks --site hq
python3 {baseDir}/scripts/unifi.py network-refs --site hq --id <networkId>

# sdwan-config / sdwan-status: list configs first to get an ID
python3 {baseDir}/scripts/unifi.py sdwan
python3 {baseDir}/scripts/unifi.py sdwan-config --id <configId>
python3 {baseDir}/scripts/unifi.py sdwan-status --id <configId>

Site library

On every invocation the skill builds a site library by joining:

  • GET /v1/hosts — host names (user-set), hardware model, connection state, apiIntegration flag
  • GET /v1/sitessiteId per hostId

Labels come directly from the name the user set in the UniFi UI — e.g. "HQ" → hq, "Branch Office" → branch-office, "Remote Site" → remote-site. The library is cached in ~/.unifi-skill.json for 15 minutes to avoid redundant API calls.

Hosts without Network API support (e.g. a NAS device with apiIntegration: false) are included in the library but will return a clear error if targeted with NET subcommands.

Run library to see the current library including state, hardware, and API capability of each host.

Site selection

All NET subcommands accept --site <hint>. The hint is matched against label, name, hardware shortname, hardware name, timezone, and IP — partial matches work.

User saysUse
"the main office network"--site hq
"remote site firewall"--site remote-site
"the branch office"--site branch-office
"the Dream Machine Pro"--site udmpro
"the warehouse AP"--site warehouse

If --site is omitted the first entry in the library is used. If the hint is ambiguous the skill lists the matching labels and asks for a more specific hint.

Always specify --site when the user mentions a location or device. When the user says "my network" without specifying, run library first to show what sites are available and ask which one they mean.

How to give advice

Devices (devices, device)

  • status != "online" → offline or disconnected — surface to user
  • firmwareStatus: "updateAvailable" → firmware update pending
  • device-stats → CPU/memory/uptime signals for performance issues

Clients (clients, client)

  • High noise or weak signal → coverage gap, suggest AP placement review
  • Unexpected clients on sensitive VLANs → flag for review

Firewall (firewall-policies, firewall-zones, acl-rules)

  • Policies allowing all traffic between sensitive zones → flag as overly broad
  • Cross-zone allow rules → confirm intentional with user
  • Check firewall-ordering — rules are evaluated in order; misplaced rules cause unexpected behaviour

DNS (dns-policies)

  • Custom DNS policies can bypass filtering — flag any unexpected overrides

VPN (vpn-tunnels, vpn-servers)

  • Tunnel state down → connectivity issue to surface
  • Verify expected peers are configured

ISP metrics (isp-metrics)

  • Packet loss > 1% or latency spikes → WAN quality issue, advise checking with ISP

Notes

  • network-refs requires --id (a network ID). Only networks with active references (devices, clients, or WiFi assigned to them) return data — unused networks return a handled error: "Network '...' has no active references". Run networks first to list all networks, then pass the ID of one that carries traffic.
  • firewall-ordering requires both --from-zone and --to-zone. Run firewall-zones first to list zone IDs. The API returns the ordered policy IDs for traffic flowing from the source zone to the destination zone.
  • sdwan-config and sdwan-status require --id. Run sdwan first to list configs and get an ID. These return empty on accounts without SD-WAN configured.

Source & contributing

Source code, issue tracker, and contributions: github.com/arseni-mik/open_claw-unifi-skill

Constraints

  • All operations are GET-only. Never suggest using this skill to make changes.
  • Guide the user to make changes in the UniFi dashboard or mobile app.
  • Do not expose raw API keys in responses.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

client-onboard

Generate a complete client onboarding package from a project description. Creates project brief, tech stack, milestones, folder structure, CLAUDE.md, and a r...

Registry SourceRecently Updated
4540kevdogg102396-afk
Coding

workflow-migrate

Migrate N8N/Zapier/Make workflows to production-grade Python or Node.js scripts. Given a workflow description or paste, rewrites automation logic with retry,...

Registry SourceRecently Updated
6151kevdogg102396-afk
Coding

Freelance Proposal Writer

Write high-converting freelance proposals from job postings (Upwork, Toptal, Freelancer, etc). Given a job URL or pasted description, analyzes the client's r...

Registry SourceRecently Updated
5310kevdogg102396-afk
Coding

Spec-First Development

Spec-driven development workflow. Before writing any code, generates a comprehensive SPEC.md covering data models, user flows, API contracts, file structure,...

Registry SourceRecently Updated
5350kevdogg102396-afk