← 返回 Skills 市场
1439
总下载
0
收藏
4
当前安装
4
版本数
在 OpenClaw 中安装
/install truenas-skill
功能描述
Manage TrueNAS SCALE via API. Check pool health, manage datasets and snapshots, monitor alerts, control services, manage apps, orchestrate Dockge container stacks, and manage bookmarks. Use when the user asks about their NAS, storage, backups, containers, bookmarks, or homelab services.
安全使用建议
This skill appears to be what it claims, but review and follow these precautions before installing: 1) Use a least-privilege TrueNAS API key (read-only where possible). 2) Prefer TRUENAS_VERIFY_TLS=1 and valid certificates; only disable TLS verification if you understand the risk of man-in-the-middle attacks on your LAN. 3) Only provide optional service credentials (Dockge, Sonarr, Radarr, Plex, etc.) that you intend the skill to access — every credential you supply increases exposure. 4) If you run the included Node scripts, run npm install in a controlled environment and review package-lock.json; the dependencies are common WebSocket/socket.io libs but are fetched from npm. 5) Inspect/trust the GitHub source (homepage) or run the skill in an isolated agent environment if you are unsure.
功能分析
Type: OpenClaw Skill
Name: truenas-skill
Version: 1.2.0
The skill is classified as suspicious due to its default insecure TLS configuration (`curl -k`, `rejectUnauthorized: false`) for TrueNAS, which is explicitly mentioned and justified in `SKILL.md` and implemented in `scripts/truenas-ws.mjs`. While an override (`TRUENAS_VERIFY_TLS=1`) is provided, this default behavior introduces a potential Man-in-the-Middle vulnerability. Additionally, the skill is designed to handle a large number of sensitive API keys and URLs for various homelab services (e.g., `TRUENAS_API_KEY`, `DOCKGE_USER/PASS`, `SONARR_API_KEY`, `RADARR_API_KEY`, etc.) as environment variables, which, while necessary for its stated purpose, significantly expands the attack surface for credential exposure if the agent environment is compromised. There is no evidence of intentional malicious behavior like data exfiltration to unauthorized third parties or backdoors.
能力评估
Purpose & Capability
The declared purpose (manage TrueNAS SCALE, pools, datasets, snapshots, apps, Dockge stacks, bookmarks, and related homelab services) matches the required artifacts: TRUENAS_URL and TRUENAS_API_KEY, plus curl/jq/node and scripts for WebSocket and Dockge. Optional references to other homelab services are documented as optional environment variables and align with the described integrations.
Instruction Scope
Runtime instructions and scripts operate on the user-provided service endpoints (TrueNAS, Dockge, and other optional services). They only read env vars and call those endpoints. A noteworthy security choice: TLS verification is disabled by default (curl -k and rejectUnauthorized: false) to accommodate self-signed certs — this increases MITM risk unless the user sets TRUENAS_VERIFY_TLS=1. The SKILL.md asserts credentials 'stay local' and the code sends the API key only to the configured service endpoints; there are no hard-coded external endpoints in the code.
Install Mechanism
The registry entry has no platform install spec (instruction-only), but the package includes package.json and package-lock.json referencing standard npm packages (socket.io-client, ws) from the public npm registry. That is expected for WebSocket/socket.io clients and is not unusual, but it means an install (npm install) pulls dependencies from npm — a moderate, expected risk rather than a red flag.
Credentials
Only TRUENAS_URL and TRUENAS_API_KEY are required (primaryEnv set correctly). Many other env vars are documented as optional for integrations (Dockge credentials, Sonarr/Radarr, Plex, etc.). Those optional credentials are appropriate for the broad homelab scope but increase blast radius if you provide them unnecessarily — only supply the service credentials you actually want the skill to use. Dockge scripts specifically require DOCKGE_URL/DOCKGE_USER/DOCKGE_PASS when invoked.
Persistence & Privilege
The skill does not request always: true, does not modify other skills or system-wide configs, and is user-invocable. It runs as-needed and has no implicit permanent privileges beyond normal execution.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install truenas-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/truenas-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
- Added TLS control: new TRUENAS_VERIFY_TLS environment variable lets you enforce or relax certificate validation for TrueNAS connections.
- Declared required environment variables and system binaries in skill metadata for compatibility checks.
- Updated documentation to clarify security posture and TLS/self-signed certificate handling.
- Added homepage field to metadata.
v1.1.2
Fix broken URLs: OpenClaw and Agent Skills links
v1.1.1
Update docs: add ClawHub install link, bookmarks reference, REST API deprecation notice, bump version
v1.1.0
Fix broken snapshot endpoint, harden scripts, add REST deprecation warning, add Karakeep bookmark API reference, fix Audiobookshelf endpoint, fix port collisions
元数据
常见问题
Truenas Skill 是什么?
Manage TrueNAS SCALE via API. Check pool health, manage datasets and snapshots, monitor alerts, control services, manage apps, orchestrate Dockge container stacks, and manage bookmarks. Use when the user asks about their NAS, storage, backups, containers, bookmarks, or homelab services. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1439 次。
如何安装 Truenas Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install truenas-skill」即可一键安装,无需额外配置。
Truenas Skill 是免费的吗?
是的,Truenas Skill 完全免费(开源免费),可自由下载、安装和使用。
Truenas Skill 支持哪些平台?
Truenas Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Truenas Skill?
由 anotb(@anotb)开发并维护,当前版本 v1.2.0。
推荐 Skills