NAS File Courier Skill
WarnAudited by ClawScan on May 18, 2026.
Overview
The NAS file delivery workflow is coherent, but the fallback download-link script can mishandle crafted filenames and a reference command may leave sensitive NAS files outside the cleanup path.
Review and fix the HTTP fallback filename-encoding command before installing. Use a restricted NAS account, keep all downloads under /tmp/openclaw/nas-courier/, confirm each file before sending, and prefer native MEDIA delivery over temporary HTTP links when possible.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed filename on the NAS could cause the agent to run unintended code under the local user account when creating a temporary link.
The filename is inserted directly into Python source code. If a NAS filename contains crafted quotes or Python syntax, the fallback command could execute unintended local Python code or fail while generating the download URL.
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${FILENAME}'))")Do not interpolate filenames into python -c source. Use an argv-safe form such as: python3 -c 'import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))' "$FILENAME".
Sensitive files copied from the NAS may remain on disk after the skill says cleanup is complete.
This reference download path differs from the main workflow's required /tmp/openclaw/nas-courier/ directory and cleanup command. Following it could leave copied NAS files outside the mandatory cleanup scope.
rclone copy "nas:<SHARE>/path/to/file.pdf" /tmp/nas-courier/
Use one temp directory consistently, update the reference command to /tmp/openclaw/nas-courier/, and verify cleanup removes only that skill-owned directory.
The agent can read whatever the configured NAS account and shares allow.
The skill relies on a preconfigured credentialed rclone remote to access NAS files. This is expected for the stated purpose, but it is still account-level delegated access.
[nas] type = smb host = <NAS_TAILSCALE_IP> user = openclaw pass = <ENCRYPTED>
Use a least-privilege NAS account, restrict it to intended shares, and avoid storing broader NAS credentials in the rclone profile used by this skill.
Anyone with network access to that Tailscale address and the link or guessable filename could download the temporarily served file during the window.
The fallback exposes the temporary file directory over a Tailscale-bound HTTP server for 10 minutes. It is read-only and purpose-aligned, but the artifact does not add per-recipient authentication beyond Tailscale network access.
rclone serve http /tmp/openclaw/nas-courier/ \
--addr "${TAILSCALE_IP}:${PORT}" \
--read-only &
...
sleep 600Prefer native MEDIA delivery when possible; for HTTP fallback, use short lifetimes, random ports or unguessable paths, and stop the server immediately after confirmed download.
Installation expectations may be unclear, and the skill may fail or use whatever local rclone/Tailscale configuration already exists.
The skill documents required local tools and setup, while the registry metadata lists no required binaries, env vars, config paths, or install spec. This is under-declared rather than hidden code, but users must verify the environment manually.
Tailscale VPN | `tailscale status` ... rclone | `which rclone` ... sudo access | (for initial setup only)
Declare required binaries and config paths in metadata, and document a least-privilege setup checklist for the rclone remote.