NAS Agent Sync
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A requesting agent could cause the File Master to read or store files in unintended agent folders if the user does not add their own access controls.
The File Master is instructed to turn inter-agent file requests into raw SSH file operations, but the artifact does not specify path validation, requester authorization, or confirmation for sensitive file reads/writes.
When another agent sends a file request via sessions_send: ... Retrieve a file: ssh USER@NAS-IP "cat ~/_agents/[agent]/[file]"
Use a dedicated NAS account restricted to the intended directories, require explicit approval for cross-agent reads, and define allowed paths and request formats before enabling this workflow.
If the File Master is misused or compromised, it may access all NAS folders allowed by its SSH account.
The skill clearly discloses that the File Master will hold NAS SSH access; this is purpose-aligned, but it concentrates important account authority in one agent.
Only one agent has NAS credentials ... Other agents never get SSH credentials
Create a least-privilege SSH user/key for this skill, restrict it to the needed NAS directory tree, and avoid reusing personal or admin SSH credentials.
Private agent memory, task history, or sensitive working files could be copied into long-lived shared storage and later accessed or reused outside the original context.
The documented cron payload backs up every agent's memory folder to a centralized NAS location, but the artifact does not define exclusions, retention, encryption, or how sensitive/persistent memory should be handled.
"Backup all agent workspaces to NAS. For each agent: rsync workspace memory/ folder to NAS _agents/{agent}/memory-backup/."Back up only explicitly approved folders, exclude secrets and sensitive memory files, set retention rules, and protect NAS backups with access controls and encryption where appropriate.
One agent may be able to request files belonging to another agent or shared area if the File Master follows messages without an authorization policy.
The design depends on inter-agent messages to request file operations, but the instructions do not describe how the File Master verifies the sender, checks whether the requester may access the requested path, or prevents cross-agent data disclosure.
I do NOT access files directly. ALL file ops go through the File Master: sessions_send(sessionKey="agent:techops:main", message="Retrieve: [path]")
Define an authorization matrix for agent-to-folder access, require requester identity checks, log all requests, and make cross-agent sharing opt-in.
Backups may continue running and copying agent data even when the user is not actively using the skill.
The skill recommends a recurring OpenClaw cron job. This is disclosed and backup-related, but it creates persistent automated activity after setup.
"schedule": { "kind": "cron", "expr": "0 3 * * *", "tz": "UTC" }Enable the cron only if you want ongoing backups, monitor its output, and document how to pause or remove it.