Thank you, fewi!
Yes, you are correct inasmuch as UPnP creates dynamic NAT rules. I do think you're onto something with the second script line you wrote. What is being thought of, however, is some sort of pass/fail scripting.
For instance, UPnP opens a dynamic NAT rule of udp3074. Machine that created the rule is shut down, but the nat rule remains in place. Script would run (scheduler) and check for "the last time any packets came through this rule," or "last time any activity occurred on this rule" and, by way of user defined settings, either remove the dynamic rule or leave it open.
The tomato firmware does something to this effect with upnp and natpmp. Settings such as "cleaning interval (time)" and "number of entries left open before cleaning is even attempted" and so on.
Disclaimer: I don't use UPnP.
If you have tested that disabling and re-enabling UPnP actually flushes rules this is trivial:
/ip upnp set enabled=no; /ip upnp set enabled=yes;
Schedule that, and you're done.
If that doesn't actually flush rules you could try this: I'd assume that UPnP creates dynamic NAT rules. If that is correct, you can delete all dynamic NAT rules:
/ip firewall nat { remove [find where dynamic] };
This could interact weirdly with other things that create dynamic NAT rules though - it would be a very bad idea to run that on a router that also is a Hotspot.