Manage TrueNAS SCALE via API. Check pool health, manage datasets and snapshots, monitor alerts, control services, manage apps, orchestrate Dockge container stacks, and manage bookmarks. Use when the user asks about their NAS, storage, backups, containers, bookmarks, or homelab services.
Security Analysis
high confidenceThis skill is internally consistent with its stated purpose (managing TrueNAS SCALE) — it requests the TrueNAS URL and API key, includes WebSocket and Dockge tooling, and does not ask for unrelated secrets or install arbitrary remote code.
The declared purpose (manage TrueNAS SCALE, pools, datasets, snapshots, apps, Dockge stacks, bookmarks, and related homelab services) matches the required artifacts: TRUENAS_URL and TRUENAS_API_KEY, plus curl/jq/node and scripts for WebSocket and Dockge. Optional references to other homelab services are documented as optional environment variables and align with the described integrations.
Runtime instructions and scripts operate on the user-provided service endpoints (TrueNAS, Dockge, and other optional services). They only read env vars and call those endpoints. A noteworthy security choice: TLS verification is disabled by default (curl -k and rejectUnauthorized: false) to accommodate self-signed certs — this increases MITM risk unless the user sets TRUENAS_VERIFY_TLS=1. The SKILL.md asserts credentials 'stay local' and the code sends the API key only to the configured service endpoints; there are no hard-coded external endpoints in the code.
The registry entry has no platform install spec (instruction-only), but the package includes package.json and package-lock.json referencing standard npm packages (socket.io-client, ws) from the public npm registry. That is expected for WebSocket/socket.io clients and is not unusual, but it means an install (npm install) pulls dependencies from npm — a moderate, expected risk rather than a red flag.
Only TRUENAS_URL and TRUENAS_API_KEY are required (primaryEnv set correctly). Many other env vars are documented as optional for integrations (Dockge credentials, Sonarr/Radarr, Plex, etc.). Those optional credentials are appropriate for the broad homelab scope but increase blast radius if you provide them unnecessarily — only supply the service credentials you actually want the skill to use. Dockge scripts specifically require DOCKGE_URL/DOCKGE_USER/DOCKGE_PASS when invoked.
The skill does not request always: true, does not modify other skills or system-wide configs, and is user-invocable. It runs as-needed and has no implicit permanent privileges beyond normal execution.
Guidance
This skill appears to be what it claims, but review and follow these precautions before installing: 1) Use a least-privilege TrueNAS API key (read-only where possible). 2) Prefer TRUENAS_VERIFY_TLS=1 and valid certificates; only disable TLS verification if you understand the risk of man-in-the-middle attacks on your LAN. 3) Only provide optional service credentials (Dockge, Sonarr, Radarr, Plex, etc.) that you intend the skill to access — every credential you supply increases exposure. 4) If you run the included Node scripts, run npm install in a controlled environment and review package-lock.json; the dependencies are common WebSocket/socket.io libs but are fetched from npm. 5) Inspect/trust the GitHub source (homepage) or run the skill in an isolated agent environment if you are unsure.
Latest Release
v1.2.0
- Added TLS control: new TRUENAS_VERIFY_TLS environment variable lets you enforce or relax certificate validation for TrueNAS connections. - Declared required environment variables and system binaries in skill metadata for compatibility checks. - Updated documentation to clarify security posture and TLS/self-signed certificate handling. - Added homepage field to metadata.
More by @anotb
Published by @anotb on ClawHub
