nas-master
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: nas-master Version: 1.0.0 The skill is classified as suspicious due to several risky capabilities and security weaknesses, despite its stated read-only purpose. It requires and uses highly privileged NAS and SSH credentials from environment variables to perform extensive file system crawling (including hidden folders) and execute SSH commands (`cat /proc/mdstat`, `btrfs scrub status`) on the NAS. A significant security weakness is the use of `paramiko.AutoAddPolicy()` in `nas_engine.py`, which bypasses SSH host key verification, making it vulnerable to Man-in-the-Middle attacks. While the `SKILL.md` explicitly states 'Strict Read-Only' for NAS operations, the broad 'adaptive' instructions for the AI agent, such as acting as a 'versatile coder' and 'continuously learning from user interactions,' could potentially be leveraged for prompt injection by a malicious user, even if the skill author's intent was not malicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A durable database of private NAS structure, file names, paths, and permissions could be exposed locally or reused in later tasks beyond the user's intent.
This directs broad, persistent indexing of private NAS file and permission metadata, including hidden/system areas, without clear exclusions, retention limits, or approval boundaries.
Recursively scan every folder in `NAS_VOLUMES`... Capture: Name, Path, Size, Extension, and Windows ACLs. Deep Search: Scrape hidden folders like `.@metadata`, `.@encdir`, and `.@plugins`... Persistence: Use `INSERT IGNORE`
Use explicit allowlisted paths, exclude sensitive/system folders unless needed, confirm before each scan, restrict database access, and define retention/deletion rules.
If the skill or environment is misconfigured or compromised, the agent would have administrator-level NAS access and broad local database authority.
The skill expects privileged NAS/SSH credentials and local database root access, while the registry metadata declares no primary credential or required environment variables.
NAS_USER="admin" ... NAS_SSH_USER="admin" ... NAS_SSH_PASS="YourPassword" ... DB_USER="root" ... DB_PASS=""
Use a dedicated least-privilege read-only NAS/SSH account, a limited MySQL user for the specific database, and declare all credential requirements clearly before installation.
A spoofed or intercepted NAS SSH endpoint could receive credentials or return misleading system metadata.
The SSH client automatically trusts unknown host keys while using password authentication and then runs remote commands; the commands are read-only, but host authenticity is not verified.
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ... ssh.connect(os.getenv("NAS_SSH_HOST"), username=os.getenv("NAS_SSH_USER"), password=os.getenv("NAS_SSH_PASS"))Require known_hosts validation or explicit fingerprint confirmation, and keep the remote command set fixed and read-only.
Users may not realize the skill requires extra tools, Python packages, and secrets until runtime.
The skill's own frontmatter lists tools and environment variables, but the registry section says no required binaries, env vars, or primary credential, and there is no install spec or dependency pinning.
requires: bins: ["python", "php", "mysql", "powershell", "ssh"] env: ["NAS_VOLUMES", "NAS_USER", "NAS_PASS", "NAS_SSH_HOST", "NAS_SSH_USER", "NAS_SSH_PASS", "DB_PASS"]
Align registry metadata with the skill requirements and provide pinned, auditable dependency instructions.
A user could misunderstand 'read-only' as meaning the skill makes no local changes or persistent records.
The read-only claim appears to mean no destructive NAS operations, but the skill still writes persistent local database records and may generate a local dashboard.
**Strict Read-Only:** Never use `os.remove`, `os.rename`, or any destructive SSH commands... **Persistence:** Use `INSERT IGNORE` to resume interrupted scans.
Clarify that read-only applies to NAS mutation only, and explicitly list all local files, database tables, and dashboard paths the skill may create or update.