ClawHub
Back to skill

Security audit

Truenas Aiops

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed TrueNAS operations helper with credential handling and write actions that match its stated purpose, though users should treat the optional environment-password and legacy migration paths carefully.

Install only if you intend to let an agent operate a TrueNAS SCALE appliance. Use a least-privilege TrueNAS API key, keep snapshot deletion and service restart under explicit human approval, prefer the interactive password prompt or a managed CI secret over a long-lived exported master password, and migrate/remove any legacy plaintext .env API keys promptly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly instructs users to place the master password in an environment variable for unattended use. Environment variables are commonly exposed through shell history, process listings, crash reports, CI logs, inherited subprocess environments, and orchestration metadata, so this increases the chance that the key-encryption password is disclosed and the encrypted secret store can be decrypted.

Credential Access

High
Category
Privilege Escalation
Content
truenas-aiops replication cloudsync
truenas-aiops secret set <target>                     # store API key encrypted
truenas-aiops secret list                             # names only
truenas-aiops secret migrate                          # import legacy plaintext .env
truenas-aiops secret rotate-password
truenas-aiops doctor
truenas-aiops mcp                                     # start MCP server (stdio)
Confidence
88% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.