sirkirby/unifi-protect-setup
plugins/unifi-protect/skills/unifi-protect-setup/SKILL.md
Configure the UniFi Protect MCP server for Claude Code, Codex, or OpenClaw — set NVR host, credentials, and permissions
$ install --global
skillsauthnpx skillsauth add sirkirby/unifi-network-mcp unifi-protect-setupInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 6:45 AM128.9s1 file scanned
SKILL.md
- name:
- unifi-protect-setup
- description:
- Configure the UniFi Protect MCP server for Claude Code, Codex, or OpenClaw — set NVR host, credentials, and permissions
- allowed-tools:
- Read, Bash, AskUserQuestion
Set Up UniFi Protect MCP Server
Walk the user through configuring their UniFi Protect NVR connection. Ask one question at a time and wait for the answer before continuing.
Interaction Rules
Use the client target that matches the current agent runtime:
- Claude Code:
claude - Codex:
codex - OpenClaw:
openclaw
If the runtime is unclear, ask which client to configure. For questions, use the platform's blocking question tool when available (AskUserQuestion in Claude Code, request_user_input in Codex). If no blocking question tool is available, ask in chat with numbered options and wait for the user's reply.
On macOS and Linux, resolve setup scripts relative to this skill file:
../../scripts/check-prereqs.sh../../scripts/set-env.sh
When the host exposes a plugin-root variable such as CLAUDE_PLUGIN_ROOT, using $CLAUDE_PLUGIN_ROOT/scripts/... is also valid. Do not assume the current shell directory is the plugin root.
On Windows with Claude Code, use ../../scripts/set-env.ps1 for the final Claude settings write. On Windows with Codex, call codex mcp add directly with the same env variables if Bash is unavailable. On Windows with OpenClaw, call openclaw mcp set directly with a JSON object containing command, args, and env if Bash is unavailable.
Step 0: Check Prerequisites
Before asking for credentials, run:
bash <path-to-plugin>/scripts/check-prereqs.sh --target <claude|codex|openclaw> "unifi-protect"
If the script exits non-zero, stop and report the error. Do not proceed to credentials.
Step 1: Controller Host
Ask: "What is your UniFi controller's IP address or hostname?" Example: 192.168.1.1.
If another UniFi MCP server is already configured, ask whether Protect is on the same controller. For Claude, existing values may be in .claude/settings.local.json. For Codex, existing values may be visible through codex mcp list and codex mcp get <server>. For OpenClaw, existing values may be visible through openclaw mcp list and openclaw mcp show <server>.
Step 2: Credentials
If the user already configured shared UNIFI_* credentials for another UniFi server, mention they can reuse those credentials. Only set UNIFI_PROTECT_* values when Protect credentials differ.
Ask for:
- Username, using a local admin account, not a Ubiquiti SSO account
- Password
Username and password are required.
AI-powered alarms need SuperAdmin. The alarm-rule tools (
protect_alarm_list_rules/protect_alarm_get_rule) surface AI-powered alarms from the UniFi-OS Alarm Manager only when the account is SuperAdmin; otherwise they return the classic automations view (with a_metanotice that AI alarms need SuperAdmin). A standard local admin runs every Protect tool fine. Mention SuperAdmin only if the user asks about AI alarms; don't require it for normal setup. On a combined UDM console, SuperAdmin also grants Network/UniFi-OS control — call that out so the user can decide.
Optional API Key
After collecting username and password, explain that UniFi API key support is experimental and limited to read-only operations and a subset of tools. Ask whether to configure an API key too.
If yes, ask for the API key and include UNIFI_PROTECT_API_KEY. If no, skip it.
Step 3: Permission Configuration
Ask whether to enable write permissions. By default, Protect mutations are disabled for camera settings, recording control, PTZ, and reboots.
Options:
- Read-only for now
- Enable camera management
- Enable all device management
- Custom categories
Collect any selected policy variables. Use the existing UNIFI_POLICY_PROTECT_<CATEGORY>_<ACTION>=true format.
Step 4: Write Configuration
On macOS/Linux, run the target-aware setup script with only values the user provided or selected:
bash <path-to-plugin>/scripts/set-env.sh --target <claude|codex|openclaw> \
UNIFI_PROTECT_HOST=<host> \
UNIFI_PROTECT_USERNAME=<username> \
UNIFI_PROTECT_PASSWORD=<password>
Add optional values and policy variables to the same command, for example:
bash <path-to-plugin>/scripts/set-env.sh --target <claude|codex|openclaw> \
UNIFI_PROTECT_HOST=<host> \
UNIFI_PROTECT_USERNAME=<username> \
UNIFI_PROTECT_PASSWORD=<password> \
UNIFI_PROTECT_API_KEY=<api-key> \
UNIFI_POLICY_PROTECT_CAMERAS_UPDATE=true
The script handles the client-specific write:
- Claude target: merges env vars into
.claude/settings.local.json - Codex target: replaces the
unifi-protectMCP server viacodex mcp add --env ... -- uvx ... - OpenClaw target: replaces the
unifi-protectMCP server viaopenclaw mcp set ...
Step 5: Final Message
For Claude Code, tell the user:
"Configuration saved to .claude/settings.local.json. Restart Claude Code or run /reload-plugins, then confirm the plugin is enabled with /plugin."
For Codex, tell the user:
"Codex MCP server unifi-protect configured. Restart Codex so the updated MCP server is loaded."
For OpenClaw, tell the user:
"OpenClaw MCP server unifi-protect configured. Restart the OpenClaw Gateway so the updated MCP server is loaded."
Related Skills
sirkirby/unifi-protect
testing
VerifiedTrustedCommunity
How to manage UniFi Protect cameras and NVR — view cameras, smart detections, recordings, snapshots, lights, sensors, Known Faces, and the Alarm Manager. Use this skill when the user mentions UniFi cameras, security cameras, NVR, recordings, motion detection, person detection, face recognition, Known Faces, snapshots, RTSP streams, floodlights, sensors, chimes, arming/disarming the alarm, or any UniFi Protect task.
397SKILL.mdUpdated Apr 15, 2026
sirkirby/unifi-network
tools
VerifiedTrustedCommunity
How to manage UniFi network infrastructure — devices, clients, firewall, VPN, routing, WLANs, and statistics. Use this skill when the user mentions UniFi, Ubiquiti, network management, WiFi configuration, firewall rules, port forwarding, VPN, QoS, bandwidth, connected clients, network devices, or any UniFi networking task.
388SKILL.mdUpdated Apr 15, 2026
sirkirby/firewall-manager
testing
VerifiedTrustedCommunity
Manage UniFi firewall policies using natural language — create, modify, and review firewall rules, content filters, and traffic policies. Use when asked to block traffic, create firewall rules, manage content filtering, set up time-based access controls, or review firewall configuration.
388SKILL.mdUpdated Apr 15, 2026
sirkirby/unifi-access
development
VerifiedTrustedCommunity
How to manage UniFi Access door control — locks, credentials, visitors, access policies, and events. Use this skill when the user mentions UniFi Access, door locks, door access, building access, NFC cards, PIN codes, visitor passes, access policies, access schedules, door readers, or any UniFi Access task.
338SKILL.mdUpdated Apr 15, 2026