← Back to Skills Marketplace
2090
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install nas-master
Description
A hardware-aware, hybrid (SMB + SSH) suite for ASUSTOR NAS metadata scraping. Functions as a versatile Coder, Project Manager, and System Architect while maintaining strict read-only safety and i3-10th Gen resource throttling.
Usage Guidance
Before installing or running this skill, consider the following:
1) Provenance: The source is unknown and registry metadata conflicts with SKILL.md. Ask the publisher for provenance and an explanation for the metadata mismatch.
2) Credentials in package: The skill bundle includes a .env file with live-looking credentials/paths. Never run code that uses embedded credentials you didn't provision yourself—replace them with placeholders or remove the .env before use. Treat any included passwords as potentially sensitive and verify they are not legitimate production credentials.
3) System writes: The skill instructs writing a PHP dashboard into C:\xampp\htdocs\. That will place files under a webserver root. Only allow this if you explicitly want a dashboard hosted there and you trust the generated content; run in a sandbox/VM first.
4) Network & privilege: The skill needs SMB share access and SSH credentials to the NAS; ensure you supply only least-privilege accounts (read-only where possible) and review the database account (use a dedicated DB user with limited rights).
5) Dependencies & platform: The Python code uses psutil Windows constants and assumes XAMPP paths — test in a controlled Windows environment. Also confirm required Python packages (paramiko, mysql-connector, python-dotenv, psutil) are installed from trusted sources.
6) Safety checks: Validate that the scraper truly runs read-only against your shares and that any generated web files do not unintentionally expose sensitive metadata. Review and run the code in a sandbox (isolated VM or staging network) before granting it access to production NAS or network.
If you cannot confirm origin or cannot run it in an isolated environment, do not install or run the skill. If you proceed, replace/remove the bundled .env, use scoped credentials, and inspect/modify the PHP/dashboard generation to ensure it does not leak data publicly.
Capability Analysis
Type: OpenClaw Skill
Name: nas-master
Version: 1.0.0
The skill is classified as suspicious due to several risky capabilities and security weaknesses, despite its stated read-only purpose. It requires and uses highly privileged NAS and SSH credentials from environment variables to perform extensive file system crawling (including hidden folders) and execute SSH commands (`cat /proc/mdstat`, `btrfs scrub status`) on the NAS. A significant security weakness is the use of `paramiko.AutoAddPolicy()` in `nas_engine.py`, which bypasses SSH host key verification, making it vulnerable to Man-in-the-Middle attacks. While the `SKILL.md` explicitly states 'Strict Read-Only' for NAS operations, the broad 'adaptive' instructions for the AI agent, such as acting as a 'versatile coder' and 'continuously learning from user interactions,' could potentially be leveraged for prompt injection by a malicious user, even if the skill author's intent was not malicious.
Capability Assessment
Purpose & Capability
The SKILL.md and nas_engine.py are consistent with an SMB+SSH NAS scraper: they use SSH (paramiko), walk a network path, and write metadata into MySQL. However the registry metadata claims no required env vars/binaries while SKILL.md lists many required binaries and env vars — an important mismatch. The skill also declares support for PHP/XAMPP web dashboard generation and Windows-specific throttle constants, which are coherent with the intended Windows-targeted workflow but expand the surface area beyond a simple scraper.
Instruction Scope
Instructions explicitly direct the agent to: recursively scan NAS volumes (including hidden system folders), run SSH commands (cat /proc/mdstat, btrfs scrub status), parse internal app SQLite DBs, and generate a PHP/AJAX dashboard under C:\xampp\htdocs\nas_explorer\. These actions are within the stated purpose but involve system-level reads and writing files into a webserver directory — which increases risk and should be expected and authorized by the user.
Install Mechanism
There is no install spec (instruction-only style) so nothing is automatically downloaded from external URLs. That lowers install-time risk. The package does include Python code that depends on third-party libraries (paramiko, mysql.connector, python-dotenv, psutil), but no automated installation is declared.
Credentials
SKILL.md declares many required env vars (NAS_VOLUMES, NAS_USER, NAS_PASS, NAS_SSH_HOST, NAS_SSH_USER, NAS_SSH_PASS, DB_PASS) which are appropriate for a NAS scraper. However the registry metadata lists no required env vars — a clear inconsistency. The distributed .env file in the skill package contains concrete credentials/paths (NAS_ROOT_PATH, NAS_VOLUMES, NAS_USER, NAS_PASS, NAS_SSH_HOST, etc.). Shipping credentials or filled-in connection strings inside the package is a red flag: even if placeholders, they broaden the risk surface and could be accidentally used or leaked.
Persistence & Privilege
The skill does not request always:true and does not modify other skills, which is good. However its runtime actions include creating database records and instructions to generate files under C:\xampp\htdocs\nas_explorer\ — a system/webserver location. That means the skill, when run, will write files that may be served by a webserver; users should consider whether the agent is permitted to write into that location and whether generated content is safe to host.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nas-master - After installation, invoke the skill by name or use
/nas-master - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: asustor-pro-adaptive-suite (version 1.0.0)
- Hybrid NAS metadata scraping using both SMB file crawling and SSH for system/hardware inspection.
- Strict read-only safety with self-verification; resumes interrupted scans and avoids data duplication.
- Enforces CPU/memory/gpu guardrails for i3-10th Gen + 1050 GTX ASUSTOR setups.
- Python-powered backend integrates with a PHP/AJAX dashboard (XAMPP), supporting rapid search and visualization.
- Adaptive, multi-role design: acts as coder, project manager, system architect, and business analyst.
- Continuously prioritizes free/open-source tools and learns from user interactions.
Metadata
Frequently Asked Questions
What is nas-master?
A hardware-aware, hybrid (SMB + SSH) suite for ASUSTOR NAS metadata scraping. Functions as a versatile Coder, Project Manager, and System Architect while maintaining strict read-only safety and i3-10th Gen resource throttling. It is an AI Agent Skill for Claude Code / OpenClaw, with 2090 downloads so far.
How do I install nas-master?
Run "/install nas-master" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is nas-master free?
Yes, nas-master is completely free (open-source). You can download, install and use it at no cost.
Which platforms does nas-master support?
nas-master is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created nas-master?
It is built and maintained by afajohn (@afajohn); the current version is v1.0.0.
More Skills