ClawHub

Truenas Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate TrueNAS/homelab skill, but it gives an agent broad control over sensitive infrastructure with weak default TLS and limited safety gates for disruptive actions.

Install only if you intentionally want an agent to administer TrueNAS and related homelab services. Use least-privilege API keys, set TRUENAS_VERIFY_TLS=1 when possible, avoid unauthenticated or internet-exposed service endpoints, and require explicit manual confirmation before deletion, ACL changes, app installs or updates, workflow execution, media/download changes, game-server commands, or bulk Dockge updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (19)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This documentation expands the skill beyond the stated TrueNAS-management scope into controlling torrent/usenet clients and a captcha-solving proxy. That scope drift is dangerous because it normalizes high-risk actions against adjacent services, increasing the chance an agent will manipulate external download infrastructure or facilitate questionable activity without explicit justification or safeguards.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Including FlareSolverr introduces a capability specifically designed to bypass anti-bot or captcha protections, which is not necessary for core TrueNAS administration. In the context of an agent skill, this materially increases abuse potential by enabling automated access to third-party sites and weakening boundary controls that those services rely on.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This reference file materially expands the skill from TrueNAS administration into general-purpose control of unrelated third-party services, including notifications, workflow execution, database mutation, website monitoring, and Minecraft server management. In an agent setting, that scope expansion increases the chance of unintended or unauthorized actions outside the user's expected NAS-management context and weakens least-privilege boundaries.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Managing Crafty Minecraft servers is not reasonably implied by the skill's stated TrueNAS/NAS-management purpose, yet the examples include start, stop, and command execution actions. That mismatch creates a confused-deputy risk where users may invoke a storage-management skill that can actually control unrelated application infrastructure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The n8n examples include workflow execution, which can fan out into arbitrary downstream automation such as API calls, file changes, notifications, or administrative actions. Within a skill presented as TrueNAS management, this broadens effective authority far beyond the advertised purpose and can magnify the impact of prompt misuse or mistaken invocation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The NocoDB section includes record creation, which enables modification of an external database unrelated to core TrueNAS administration. This introduces unnecessary write capability and raises the risk of data corruption, unauthorized business-data changes, or misuse through overbroad credentials.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This reference file materially expands the skill from TrueNAS administration into controlling multiple unrelated media and analytics services such as Overseerr, Sonarr, Radarr, Prowlarr, Plex, and Tautulli. That scope drift increases the reachable attack surface, enables actions unrelated to the declared purpose, and makes it easier for a user or prompt injection to cause side effects outside expected NAS management.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation grants direct operational control over third-party services, including submitting requests, approving requests, adding media, triggering scans, and querying indexers and analytics. If an agent follows this guidance, it can modify external applications and expose personal media activity without those capabilities being justified by the stated TrueNAS-focused purpose.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The README advertises dataset creation/deletion and snapshot management without warning that these actions can be destructive or irreversible. In an agent-driven context, omission of safety warnings is dangerous because users may invoke natural-language commands that trigger storage changes, deletion, or data loss without understanding the consequences.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The README promotes updating Dockge stacks without warning about service restarts, downtime, configuration drift, or failed deployments. In a homelab or NAS environment, agent-initiated stack updates can disrupt storage-dependent applications and create cascading outages if performed without explicit confirmation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This guide contains multiple state-changing API examples that create datasets, modify ACLs, and install apps, but it does not prominently warn that these operations alter persistent storage configuration and application state. In an agent skill context, documentation is often used as executable guidance, so omission of safety boundaries and confirmation requirements increases the chance of unintended destructive or over-permissive changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples provide bulk pause/resume operations for all torrents without any warning, confirmation step, or discussion of service impact. In an agent setting, such examples can be directly translated into disruptive actions that affect all downloads, creating operational harm through a single ambiguous request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file documents sensitive endpoints and API-key-based access with phrases like 'typically no auth' and 'no auth' but provides no warning about exposure risks, credential handling, or network trust boundaries. This encourages insecure deployment and could lead users or agents to interact with unauthenticated administrative services that are trivially abused if exposed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented n8n execute example triggers a state-changing action but provides no warning, guardrail, or confirmation requirement. In agent-facing documentation, normalization of silent execution increases the risk that an operator or model treats disruptive actions as routine and performs them without validating scope or consequences.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The file documents multiple API keys and bearer tokens but does not include any security guidance about secret handling, logging, storage, or least privilege. While this is documentation rather than direct exfiltration logic, it encourages operationally unsafe patterns that can lead to credential exposure in agent traces, shell history, or logs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file encourages use of Tautulli activity, history, user stats, and 'who's watching' queries without warning that these endpoints expose sensitive behavioral data about household members or users. In agent contexts, silent access to viewing history and live sessions can create privacy violations and unexpected surveillance capabilities.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code allows TLS certificate verification to be disabled by default unless TRUENAS_VERIFY_TLS is explicitly set to '1', enabling connections to proceed without authenticating the TrueNAS server. This makes the API key and all WebSocket traffic vulnerable to man-in-the-middle interception or tampering, which is especially dangerous because this skill manages storage, snapshots, services, apps, and container stacks on a NAS.

External Transmission

Medium
Category
Data Exfiltration
Content
**CRITICAL:** Use `user: "apps"` and `group: "apps"` as STRINGS, not numeric uid/gid.

```bash
curl -sk -X POST "$TRUENAS_URL/api/v2.0/filesystem/setacl" \
  -H "Authorization: Bearer $TRUENAS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
83% confidence
Finding
curl -sk -X POST "$TRUENAS_URL/api/v2.0/filesystem/setacl" \ -H "Authorization: Bearer $TRUENAS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "path": "/mnt/apps/config/APP_NAME",

Known Vulnerable Dependency: ws==8.18.0 — 1 advisory(ies): CVE-2026-45736 (ws: Uninitialized memory disclosure)

Low
Category
Supply Chain
Confidence
81% confidence
Finding
ws==8.18.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal