Netmiko Ssh Automation
Write or review safe Python Netmiko scripts that SSH to routers and switches for read-only audits without risking production config drift.
Overview
Netmiko SSH Automation is an agent skill for the Operate phase that teaches safe Python Netmiko patterns for read-only SSH collection, bounded batches, TextFSM parsing, and guarded config changes on network devices.
Install
npx skills add https://github.com/affaan-m/everything-claude-code --skill netmiko-ssh-automationWhat is this skill?
- Defaults to read-only send_command() collection across explicit small inventories
- Covers Netmiko timeouts, authentication exceptions, and bounded concurrency for older devices
- TextFSM parsing when templates exist for structured show output
- Requires explicit operator flag before send_config_set() and blocks save_config() until verified
- Credentials via env, vault, or getpass—never hardcoded secrets
Adoption & trust: 1.2k installs on skills.sh; 210k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need to pull consistent show output from routers and switches but your SSH scripts lack timeouts, leak credentials, or might push config without a rollback plan.
Who is it for?
Solo builders or indie SREs writing small Netmiko audit scripts before a maintenance window or reviewing a teammate’s network automation PR.
Skip if: Teams that only need Ansible playbooks with no custom Python, or anyone who wants unattended full-fleet config pushes without change control.
When should I use this skill?
Writing or reviewing Python automation that connects to network devices with Netmiko.
What do I get? / Deliverables
You get copy-paste-safe read-first Netmiko flows with explicit gates for config changes, inventory discipline, and production-ready error handling.
- Read-only collection script pattern
- Guarded config-change checklist
- Exception and timeout handling blocks
Recommended Skills
Journey fit
Network device collection and guarded changes are production infrastructure work after the app is live, not greenfield product coding. Infra is where solo builders run bounded SSH automation, inventory audits, and change-window config pushes on real gear.
How it compares
Use for handcrafted Netmiko Python with safety rails—not as a substitute for a full network orchestration platform or Terraform cloud networking.
Common Questions / FAQ
Who is netmiko-ssh-automation for?
Developers and operators who automate Cisco-style devices with Python Netmiko and want read-only defaults plus explicit rules before any config mutation.
When should I use netmiko-ssh-automation?
When collecting show output across a short device list, adding timeouts to fragile SSH scripts, parsing CLI with TextFSM, or reviewing automation in Operate before production touch.
Is netmiko-ssh-automation safe to install?
Treat it as procedural guidance only; review the Security Audits panel on this Prism page and never run generated scripts against production without your own review and change window.
SKILL.md
READMESKILL.md - Netmiko Ssh Automation
# Netmiko SSH Automation Use this skill when writing or reviewing Python automation that connects to network devices with Netmiko. Keep the default path read-only; config changes need a separate change window, peer review, and rollback plan. ## When to Use - Collecting `show` command output across routers, switches, or firewalls. - Building a small audit script for interface, routing, or config evidence. - Adding timeouts and exception handling to network SSH scripts. - Parsing command output with TextFSM when a template exists. - Reviewing automation before it touches production devices. ## Safety Defaults - Start with read-only `send_command()` collection. - Keep inventory small and explicit; do not sweep whole address ranges. - Use environment variables, a vault, or `getpass`; never hardcode credentials. - Set connection and read timeouts. - Limit concurrency so older devices are not overloaded. - Require an explicit operator flag before `send_config_set()`. - Do not call `save_config()` until the change has been verified and approved. ## Read-Only Connection Pattern ```python import os from getpass import getpass from netmiko import ConnectHandler from netmiko.exceptions import ( NetmikoAuthenticationException, NetmikoTimeoutException, ReadTimeout, ) device = { "device_type": "cisco_ios", "host": "192.0.2.10", "username": os.environ.get("NETMIKO_USERNAME") or input("Username: "), "password": os.environ.get("NETMIKO_PASSWORD") or getpass("Password: "), "secret": os.environ.get("NETMIKO_ENABLE_SECRET"), "conn_timeout": 10, "auth_timeout": 20, "banner_timeout": 15, "read_timeout_override": 30, } try: with ConnectHandler(**device) as conn: if device.get("secret") and not conn.check_enable_mode(): conn.enable() output = conn.send_command("show ip interface brief", read_timeout=30) print(output) except NetmikoAuthenticationException: print("Authentication failed") except NetmikoTimeoutException: print("SSH connection timed out") except ReadTimeout: print("Command read timed out") ``` Use placeholder addresses from documentation ranges in examples. Keep real inventory in an ignored local file or a secrets-managed system. ## Batch Collection ```python from concurrent.futures import ThreadPoolExecutor, as_completed from typing import Any def collect_show(device: dict[str, Any], command: str) -> dict[str, Any]: host = device["host"] try: with ConnectHandler(**device) as conn: output = conn.send_command(command, read_timeout=45) return {"host": host, "ok": True, "output": output} except (NetmikoAuthenticationException, NetmikoTimeoutException, ReadTimeout) as exc: return {"host": host, "ok": False, "error": type(exc).__name__} results = [] with ThreadPoolExecutor(max_workers=8) as pool: futures = [pool.submit(collect_show, device, "show version") for device in devices] for future in as_completed(futures): results.append(future.result()) ``` Keep `max_workers` low unless the device estate and AAA systems are known to handle higher connection volume. ## Structured Parsing Netmiko can ask TextFSM, TTP, or Genie to parse supported command output. Treat parser output as an optimization, not the only evidence path. ```python with ConnectHandler(**device) as conn: parsed = conn.send_command( "show ip interface brief", use_textfsm=True, raise_parsing_error=False, read_timeout=30, ) if isinstance(parsed, str): print("No parser template matched; store raw output for review") else: for row in parsed: print(row) ``` If parsing drives a blocking decision, keep the raw command output