Truenas Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is powerful, an agent could make broad TrueNAS changes such as creating or deleting datasets, changing ACLs, managing apps, or calling other administrative methods.
The helper forwards any user/agent-supplied TrueNAS method and parameters directly to the API, without a method allowlist, dry-run mode, or built-in confirmation for destructive calls.
const method = process.argv[2]; ... method: method, params: Array.isArray(params) ? params : [params]
Use a least-privilege or read-only TrueNAS API key where possible, and require explicit user confirmation for destructive or state-changing methods.
A single request or mistaken invocation could restart or change many homelab services at once, causing outages or broken deployments.
The default behavior updates every running non-ix Dockge stack, which can pull new images and restart multiple services without an interactive confirmation in the script.
If no stacks specified, updates all running stacks ... const running = Object.entries(data.stackList).filter(([name, v]) => v.status === 3 && !name.startsWith("ix-")) ... updateStacks(running);Prefer specifying stack names explicitly, preview the stack list first, and add a confirmation step before bulk updates.
The agent may be able to read or change storage, apps, downloads, workflows, bookmarks, and other service data depending on the keys provided.
The skill requires a TrueNAS API key and documents many optional service credentials. This is expected for the integrations, but these credentials can grant significant account and infrastructure authority.
TRUENAS_API_KEY — API key from TrueNAS UI → API Keys ... SONARR_API_KEY ... RADARR_API_KEY ... SYNCTHING_API_KEY ... N8N_API_KEY ... KARAKEEP_API_KEY
Provide only the credentials needed for the tasks you want, scope API keys narrowly, and avoid using admin-level keys unless necessary.
On a compromised or untrusted network, an attacker could impersonate the NAS endpoint or intercept sensitive API use more easily.
The default TLS behavior is clearly disclosed and common for homelabs, but skipped certificate validation weakens protection for API credentials on untrusted networks.
TLS verification is skipped by default (`curl -k`, `rejectUnauthorized: false`) because homelab servers typically use self-signed certs. Set `TRUENAS_VERIFY_TLS=1` to enforce strict TLS validation.
Use HTTPS with a trusted certificate when possible, and set `TRUENAS_VERIFY_TLS=1` if your TrueNAS certificate can be validated.