nas-master

A hardware-aware, hybrid (SMB + SSH) suite for ASUSTOR NAS metadata scraping. Functions as a versatile Coder, Project Manager, and System Architect while maintaining strict read-only safety and i3-10th Gen resource throttling.

Before installing or running this skill, consider the following: 1) Provenance: The source is unknown and registry metadata conflicts with SKILL.md. Ask the publisher for provenance and an explanation for the metadata mismatch. 2) Credentials in package: The skill bundle includes a .env file with live-looking credentials/paths. Never run code that uses embedded credentials you didn't provision yourself—replace them with placeholders or remove the .env before use. Treat any included passwords as potentially sensitive and verify they are not legitimate production credentials. 3) System writes: The skill instructs writing a PHP dashboard into C:\xampp\htdocs\. That will place files under a webserver root. Only allow this if you explicitly want a dashboard hosted there and you trust the generated content; run in a sandbox/VM first. 4) Network & privilege: The skill needs SMB share access and SSH credentials to the NAS; ensure you supply only least-privilege accounts (read-only where possible) and review the database account (use a dedicated DB user with limited rights). 5) Dependencies & platform: The Python code uses psutil Windows constants and assumes XAMPP paths — test in a controlled Windows environment. Also confirm required Python packages (paramiko, mysql-connector, python-dotenv, psutil) are installed from trusted sources. 6) Safety checks: Validate that the scraper truly runs read-only against your shares and that any generated web files do not unintentionally expose sensitive metadata. Review and run the code in a sandbox (isolated VM or staging network) before granting it access to production NAS or network. If you cannot confirm origin or cannot run it in an isolated environment, do not install or run the skill. If you proceed, replace/remove the bundled .env, use scoped credentials, and inspect/modify the PHP/dashboard generation to ensure it does not leak data publicly.

Type: OpenClaw Skill Name: nas-master Version: 1.0.0 The skill is classified as suspicious due to several risky capabilities and security weaknesses, despite its stated read-only purpose. It requires and uses highly privileged NAS and SSH credentials from environment variables to perform extensive file system crawling (including hidden folders) and execute SSH commands (`cat /proc/mdstat`, `btrfs scrub status`) on the NAS. A significant security weakness is the use of `paramiko.AutoAddPolicy()` in `nas_engine.py`, which bypasses SSH host key verification, making it vulnerable to Man-in-the-Middle attacks. While the `SKILL.md` explicitly states 'Strict Read-Only' for NAS operations, the broad 'adaptive' instructions for the AI agent, such as acting as a 'versatile coder' and 'continuously learning from user interactions,' could potentially be leveraged for prompt injection by a malicious user, even if the skill author's intent was not malicious.