// SCAN REPORT

Truenas

279 tools. 169 can modify or destroy data without limits.

46 destructive tools with no built-in limits. Policy required.

Last updated:

169 can modify or destroy data
110 read-only
279 tools total

Community server · catalogue entry verified 12/06/2026

How to control Truenas ↓

TOOL MAP

What Truenas exposes to your agents

Read (110) Write / Execute (123) Destructive / Financial (46)

Running more than one server? Check your whole stack →

MOST DANGEROUS TOOLS
Critical Risk

The most dangerous Truenas tools

Destructive · Critical disk_wipe This tool irreversibly deletes all data on a disk and cannot be undone. Destructive · High acme_dns_authenticator_delete The tool permanently removes ACME DNS authenticator configuration from the system. Destructive · High alertservice_delete The tool performs a destructive operation that permanently removes an alert service configuration. Destructive · High api_key_delete This tool irreversibly deletes an API key, which cannot be undone.

169 of Truenas's 279 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

POLICY

How to control Truenas

PolicyLayer is an MCP gateway — it sits between your AI agents and Truenas, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations
{
  "acme_dns_authenticator_delete": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "bootenv_keep": {
    "limits": [
      {
        "counter": "bootenv_keep_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "acme_dns_authenticator_list": {
    "limits": [
      {
        "counter": "acme_dns_authenticator_list_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register Truenas — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON TRUENAS →

Free to start. No card required.

FULL CATALOGUE

All 279 Truenas tools

DESTRUCTIVE 46 tools
Destructive acme_dns_authenticator_delete Delete an ACME DNS authenticator by its ID. Destructive alertservice_delete Delete an alert notification service by its ID. Use alertservice_list to find the ID. Destructive api_key_delete Delete an API key by its numeric ID. Use api_key_list to find the ID. This immediately revokes access for anyo Destructive app_delete Delete/uninstall an app. This is a DESTRUCTIVE operation. The Destructive bootenv_delete Delete a boot environment. This is a DESTRUCTIVE operation — the Destructive certificate_delete Delete a certificate by its ID. This is a DESTRUCTIVE operation — the Destructive cloud_backup_delete Delete a cloud backup task (destructive — requires confirm) Destructive cloudsync_credentials_delete Delete a cloud sync credential Destructive cloudsync_delete Delete a cloud sync task (destructive — requires confirm) Destructive cronjob_delete Delete a cron job Destructive dataset_delete Delete a dataset (destructive — requires confirm) Destructive disk_wipe Wipe a disk, destroying all data on it. This is a DESTRUCTIVE operation — the Destructive group_delete Delete a group. This is a DESTRUCTIVE operation — the Destructive initshutdown_delete Delete an init/shutdown script Destructive iscsi_extent_delete Delete an iSCSI extent (LUN) Destructive iscsi_initiator_delete Delete an iSCSI initiator group Destructive iscsi_portal_delete Delete an iSCSI portal Destructive iscsi_target_delete Delete an iSCSI target Destructive iscsi_targetextent_delete Delete an iSCSI target-to-extent mapping Destructive keychaincredential_delete Delete an SSH credential or keypair Destructive network_interface_delete Delete a network interface. This is a DESTRUCTIVE operation — the Destructive network_static_route_delete Delete a static route by its numeric ID. Use network_static_route_list to find the ID. Destructive nfs_share_delete Delete an NFS share/export Destructive privilege_delete Delete a privilege/role by its ID. Use privilege_list to find the ID. Destructive replication_delete Delete a replication task (destructive — requires confirm) Destructive rsync_task_delete Delete an rsync task Destructive smb_share_delete Delete an SMB share Destructive system_ntp_server_delete Delete an NTP server by its ID. Use system_ntp_servers first to find the ID. Destructive tunable_delete Delete a tunable by its ID. Use tunable_list to find the ID. Destructive user_delete Delete a user account. This is a DESTRUCTIVE operation — the Destructive vm_delete Delete a virtual machine. This is a DESTRUCTIVE operation. The Destructive vm_device_delete Delete a VM device by its ID. Optionally delete the associated zvol or raw file. Destructive system_shutdown Shut down the TrueNAS system. This is a DESTRUCTIVE operation — the system will power off and require physical Destructive app_rollback Rollback an app to a previous version. This is a DESTRUCTIVE operation. The Destructive cloud_backup_abort Abort a running cloud backup task Destructive directory_services_leave Leave the current Active Directory or LDAP domain. This is a DESTRUCTIVE operation — Destructive network_rollback_changes Rollback all pending (uncommitted) network interface changes, restoring the previous network configuration. Destructive snapshot_delete Delete a ZFS snapshot (destructive — requires confirm) Destructive snapshot_rollback Rollback a dataset to a snapshot (destructive — requires confirm) Destructive snapshot_task_delete Delete a periodic snapshot task Destructive system_reboot Reboot the TrueNAS system. This is a DESTRUCTIVE operation — all running services will be interrupted. The Destructive boot_attach_disk Attach a disk to the boot pool to create or extend a mirror. This is a DESTRUCTIVE operation that will erase t Destructive boot_detach_disk Detach a disk from the boot pool mirror. This is a DESTRUCTIVE operation — the Destructive pool_export Export (disconnect) a pool (destructive — requires confirm) Destructive pool_replace_disk Replace a disk in a pool (destructive — requires confirm) Destructive update_apply Apply previously downloaded system updates. This is a DESTRUCTIVE operation that may reboot the system. The
EXECUTE 34 tools
Execute app_start Start an installed app by its ID. Execute app_stop Stop a running app by its ID. Execute cloud_backup_run Run a cloud backup task now Execute cloudsync_run Run a cloud sync task now Execute cronjob_run Run a cron job immediately Execute pool_scrub Start, stop, or pause a pool scrub Execute replication_run Manually run a replication task now Execute rsync_task_run Run an rsync task immediately Execute service_restart Restart a service by name. Equivalent to stop + start. Useful after configuration changes that require a servi Execute service_start Start a service by name (e.g. Execute service_stop Stop a running service by name (e.g. Execute truenas Manage your TrueNAS SCALE system. 278 actions organized in categories. Usage: - No args or category= Execute vm_restart Restart a running virtual machine by its ID. Execute vm_start Start a virtual machine by its ID. Optionally allow memory overcommit. Execute vm_stop Stop a running virtual machine by its ID. Optionally force-stop (power off) instead of graceful shutdown. Execute alertservice_test Send a test notification through an alert service to verify it is configured correctly. Execute app_pull_images Pull the latest Docker images for a specific app. Execute app_redeploy Redeploy an app, recreating its containers with the current configuration. Execute app_upgrade Upgrade an app to a newer version. Execute cloudsync_abort Abort a running cloud sync task Execute cloudsync_credentials_verify Verify a cloud sync credential is working Execute directory_services_cache_refresh Refresh the directory services cache. Forces re-read of users and groups from the directory server. Execute disk_smart_test_run Run a SMART test on one or more disks. Returns a job ID for the test. Execute filesystem_chown Change ownership of a file or directory. Can optionally apply recursively. Execute network_checkin Check in after committing network changes to confirm they are working. This prevents the automatic rollback th Execute snapshot_task_run Run a periodic snapshot task immediately Execute truenas_api_call Make a raw API call to any TrueNAS endpoint not covered by specific tools. This is an escape hatch for advance Execute boot_scrub Start a scrub of the boot pool to check for and repair data integrity issues. Execute bootenv_activate Activate a boot environment so it will be used on next boot. Execute cronjob_create Create a new cron job Execute dataset_lock Lock an encrypted dataset Execute mail_send Send a test email to verify mail configuration is working. Provide a subject, body text, and one or more recip Execute network_commit_changes Commit pending network interface changes. Network changes are staged and must be committed to take effect. Use Execute update_download Download pending system updates. This starts the download process; the system is not updated until update_appl
WRITE 89 tools
Write bootenv_keep Set or clear the Write alert_dismiss Dismiss an alert by its UUID. Dismissed alerts no longer appear as active but can be restored. Write snapshot_clone Clone a snapshot into a new dataset Write snapshot_create Create a ZFS snapshot Write snapshot_task_create Create a periodic snapshot task Write vm_clone Clone an existing VM, creating a copy with a new name. Write acme_dns_authenticator_create Create a new ACME DNS authenticator for DNS-01 challenge validation. The attributes depend on the authenticato Write alert_restore Restore a previously dismissed alert by its UUID, making it active again. Write alertservice_create Create a new alert notification service. Configures how and where alerts are delivered. Write alertservice_update Update an existing alert notification service by its ID. All fields are optional — only provide the ones to ch Write api_key_create Create a new API key for programmatic access to the TrueNAS API. Returns the key — store it securely as it can Write app_create Install a new app from the catalog. Provide the app_name (desired installation name), catalog_app (app from ca Write app_update Update an installed app Write audit_config_update Update audit configuration. All fields are optional — only provide the ones you want to change. Write bootenv_create Create a new boot environment by cloning an existing one. Useful for creating a restore point before updates. Write certificate_create Create a new certificate. Supports internal (self-signed), CSR, imported, and ACME certificate types. Only nam Write cloud_backup_create Create a new cloud backup task Write cloud_backup_update Update an existing cloud backup task Write cloudsync_create Create a new cloud sync task Write cloudsync_credentials_create Create a new cloud sync credential Write cloudsync_credentials_update Update an existing cloud sync credential Write cloudsync_restore Restore data from cloud to a local path Write cloudsync_update Update an existing cloud sync task Write cronjob_update Update an existing cron job Write dataset_create Create a new dataset or zvol Write dataset_promote Promote a cloned dataset to no longer depend on its origin snapshot Write dataset_set_permissions Set UNIX permissions on a dataset Write dataset_set_quota Set dataset quotas Write dataset_unlock Unlock an encrypted dataset Write dataset_update Update dataset properties Write directory_services_update Update directory services configuration. Fields depend on whether Active Directory or LDAP is configured. Pass Write disk_update Update disk settings such as description, power management, SMART monitoring, and standby configuration. Write docker_config_update Update Docker/container runtime configuration. All fields are optional — only provide what you want to change. Write filesystem_mkdir Create a new directory at the specified path. Optionally set the UNIX mode (permissions). Write filesystem_set_acl Set the Access Control List (ACL) for a file or directory. This is a powerful operation — the Write filesystem_set_permissions Set UNIX permissions on a file or directory. Can optionally apply recursively and strip existing ACLs. Write ftp_config_update Update FTP service configuration. All fields are optional — only provide the ones you want to change. Restart Write group_create Create a new group on the TrueNAS system. Write group_update Update an existing group. All fields are optional — only provide the ones you want to change. Write initshutdown_create Create an init/shutdown script Write initshutdown_update Update an init/shutdown script Write iscsi_extent_create Create an iSCSI extent (LUN) Write iscsi_extent_update Update an iSCSI extent (LUN) Write iscsi_global_config_update Update iSCSI global configuration Write iscsi_initiator_create Create an iSCSI initiator group Write iscsi_portal_create Create an iSCSI portal Write iscsi_portal_update Update an iSCSI portal Write iscsi_target_create Create an iSCSI target Write iscsi_target_update Update an iSCSI target Write iscsi_targetextent_create Create an iSCSI target-to-extent mapping Write keychaincredential_create Create an SSH credential or keypair Write keychaincredential_generate_ssh_key Generate a new SSH key pair Write mail_update Update mail/SMTP configuration for system email alerts. All fields are optional — only provide the ones you wa Write network_config_update Update global network configuration. All fields are optional — only provide the ones you want to change. Write network_interface_create Create a new network interface (VLAN, bridge, or bond/LAGG). Network changes are staged until committed with n Write network_interface_update Update an existing network interface. All fields are optional — only provide the ones you want to change. Netw Write network_static_route_create Create a new static route. Write nfs_config_update Update global NFS configuration Write nfs_share_create Create a new NFS share/export Write nfs_share_update Update an existing NFS share/export Write pool_create Create a new storage pool (destructive operation — requires confirm) Write pool_update Update pool properties (e.g. autotrim) or add vdevs Write privilege_create Create a new privilege/role with specific permissions and group bindings. Write privilege_update Update an existing privilege/role by its ID. Use privilege_list to find the ID. All fields are optional. Write replication_create Create a new replication task Write replication_restore Restore from a replication task Write replication_update Update an existing replication task Write rsync_task_create Create a new rsync task Write rsync_task_update Update an existing rsync task Write service_update Enable or disable a service at boot time. This does NOT start or stop the service — use service_start / servic Write smb_config_update Update global SMB configuration Write smb_share_create Create a new SMB share Write smb_share_update Update an existing SMB share Write snmp_config_update Update SNMP service configuration. All fields are optional — only provide the ones you want to change. Write ssh_config_update Update SSH service configuration. All fields are optional — only provide the ones you want to change. Restart Write system_config_upload Upload a system configuration file to restore settings. Note: this endpoint typically expects a multipart file Write system_general_update Update general system configuration. All fields are optional — only provide the ones you want to change. Chang Write system_ntp_server_create Add a new NTP time server to the system configuration. Write tunable_create Create a new system tunable. Tunables allow setting sysctl, loader, or rc variables. Write tunable_update Update an existing tunable by its ID. Use tunable_list to find the ID. All fields are optional — only provide Write update_config_set Set the update configuration. Currently supports changing the update train. Write ups_config_update Update UPS service configuration. All fields are optional — only provide the ones you want to change. Write user_create Create a new user account on the TrueNAS system. Write user_set_password Set or change a user Write user_update Update an existing user account. All fields are optional — only provide the ones you want to change. Write vm_create Create a new virtual machine. At minimum provide a name and memory (in MiB). Other fields have sensible defaul Write vm_device_create Create a new device and attach it to a VM. The Write vm_device_update Update an existing VM device by its ID. Provide any fields to change (dtype, attributes, order, vm). Write vm_update Update an existing VM
READ 110 tools
Read acme_dns_authenticator_list List all configured ACME DNS authenticators. These are used for DNS-01 challenge validation when issuing ACME Read alert_categories List all available alert categories. Useful for understanding the types of alerts the system can generate. Read alert_list List all active alerts on the TrueNAS system. Shows alert level, message, source, and dismissal status. Read alert_policies List all available alert policies. Policies define how alerts are escalated and delivered. Read alertservice_list List all configured alert notification services (e.g. email, Slack, PagerDuty). Shows their type, enabled stat Read api_key_list List all API keys configured on the system. Shows key names and metadata (not the secret values). Read app_available List all available apps from the catalog. Returns apps that can be installed. Read app_categories List all app categories available in the catalog. Read app_get Get detailed information about a specific installed app by its ID (app name). Read app_list List all installed apps (Docker containers) on the TrueNAS system. Read app_outdated_images List outdated Docker images used by installed apps. Read audit_config Get the current audit configuration including retention and quota settings. Read audit_query Query the TrueNAS audit log. Supports filtering by services and applying query filters and options. Read bootenv_list List all boot environments. Shows name, active status, creation date, size, and keep flag. Read certificate_acme_servers List available ACME server choices (e.g. Let Read certificate_get Get a specific certificate by its numeric ID. Returns full certificate details including the PEM content. Read certificate_list List all certificates on the system, including self-signed, imported, CSR, and ACME certificates. Read cloud_backup_list List all cloud backup tasks Read cloud_backup_snapshots List snapshots for a cloud backup task Read cloudsync_credentials_list List all cloud sync credentials Read cloudsync_get Get a cloud sync task by ID Read cloudsync_list List all cloud sync tasks Read cloudsync_list_buckets List remote buckets for a cloud credential Read cloudsync_list_directory List files in a remote directory Read cloudsync_providers List available cloud sync providers Read cronjob_list List all cron jobs Read dataset_encryption_summary Get encryption summary for a dataset and its children Read dataset_get Get dataset details by name (e.g. Read dataset_get_quota Get dataset quotas (user, group, dataset, or project) Read dataset_list List all datasets, optionally filtered by pool name Read directory_services_config Get directory services configuration (Active Directory / LDAP). Read directory_services_status Get current directory services status including connection state and health. Read disk_get Get details of a specific disk by its device name (e.g. Read disk_list List all physical disks in the TrueNAS system with their details including serial numbers, sizes, and pool mem Read disk_smart_test_list List SMART test results. Optionally filter by disk name. Read disk_temperatures Get current temperatures for one or more disks. Provide disk device names like Read docker_status Get the current status of the Docker/container runtime service. Read filesystem_get_acl Get the Access Control List (ACL) for a file or directory path. Optionally return a simplified representation. Read filesystem_listdir List contents of a directory. Returns files and subdirectories with metadata. Supports pagination via limit an Read filesystem_stat Get file or directory info including permissions, size, owner, and timestamps. Provide the full path on the Tr Read ftp_config Get the current FTP service configuration. Read group_get Get details of a specific group by its numeric ID. Read group_list List all groups on the TrueNAS system. Read initshutdown_list List all init/shutdown scripts Read iscsi_extent_list List all iSCSI extents (LUNs) Read iscsi_global_config Get iSCSI global configuration Read iscsi_initiator_list List all iSCSI initiator groups Read iscsi_portal_list List all iSCSI portals Read iscsi_sessions Get active iSCSI sessions Read iscsi_target_list List all iSCSI targets Read iscsi_targetextent_list List all iSCSI target-to-extent mappings Read kerberos_config Get Kerberos configuration settings. Read kerberos_keytab_list List all configured Kerberos keytabs. Read kerberos_realm_list List all configured Kerberos realms. Read keychaincredential_list List all SSH credentials and keypairs Read keychaincredential_remote_ssh_scan Scan a remote host for its SSH host key Read mail_config Get the current mail/SMTP configuration for system email alerts and notifications. Read network_config Get the global network configuration including hostname, domain, gateways, nameservers, and proxy settings. Read network_interface_get Get details of a specific network interface by its ID (e.g. Read network_interface_list List all network interfaces on the TrueNAS system, including physical NICs, VLANs, bridges, and bond/LAGG inte Read network_ipmi_info Get IPMI chassis information if IPMI is available on this system. First checks whether IPMI hardware is presen Read network_static_route_list List all configured static routes. Read network_summary Get a summary of the network configuration including all interfaces, IPs, default routes, and nameservers. Read nfs_client_count Get the number of connected NFS clients Read nfs_config Get global NFS configuration Read nfs_share_get Get an NFS share by ID Read nfs_share_list List all NFS shares/exports Read pool_attachments Get services and resources attached to a pool Read pool_get Get pool details by ID Read pool_get_disks Get list of disks in a pool Read pool_list List all storage pools Read pool_status Check pool health and status Read privilege_list List all privileges/roles configured on the system. Read replication_get Get a replication task by ID Read replication_list List all replication tasks Read reporting_config Get the current reporting/metrics configuration. Read reporting_get_data Get time-series reporting data for one or more graphs (CPU, memory, disk, network, etc.). Use reporting_graphs Read reporting_graphs List all available reporting graphs (CPU, memory, disk, network, etc.). Use the graph names with reporting_get Read rsync_task_list List all rsync tasks Read service_get Get details of a specific service by its numeric ID, including its running state and boot-time enable status. Read service_list List all system services with their current status (running/stopped) and whether they are enabled at boot. Use Read smb_config Get global SMB configuration Read smb_share_get Get an SMB share by ID Read smb_share_list List all SMB shares Read snapshot_get Get snapshot details by ID (e.g. Read snapshot_list List all ZFS snapshots, optionally limited by count Read snapshot_task_list List periodic snapshot tasks Read snmp_config Get the current SNMP service configuration. Read ssh_config Get the current SSH service configuration. Read system_advanced_config Get advanced system configuration including console settings, serial port config, syslog, debug kernel, MOTD, Read system_config_download Trigger a system configuration backup (database save). Returns or saves the system config. Options control whe Read system_general_config Get general system configuration including timezone, language, UI port settings, and crash reporting preferenc Read system_info Get TrueNAS system information including hostname, version, uptime, CPU, memory, and hardware details. Use thi Read system_ntp_servers List all configured NTP time servers. Use this to check time synchronization configuration. Read system_version Get the TrueNAS version string. Lightweight alternative to system_info when you only need the version. Read tunable_list List all system tunables (sysctl, loader, and rc variables). Read ups_config Get the current UPS service configuration. Read user_get Get details of a specific user by their numeric ID. Read user_list List all users on the TrueNAS system, including system and local accounts. Read user_shell_choices Get a list of available login shells on the system. Useful when creating or updating a user to know which shel Read vm_available_memory Get the amount of memory available for allocating to VMs, in bytes. Read vm_device_list List VM devices. Optionally filter by VM ID to see devices attached to a specific VM. Read vm_display_uri Get the web display URI (VNC/SPICE) for a running VM. Useful for connecting to the VM console. Read vm_get Get detailed information about a specific VM by its numeric ID. Read vm_list List all virtual machines on the TrueNAS system, including their configuration and status. Read vm_status Get the current status of a virtual machine (running, stopped, etc.). Read boot_state Get the current state of the boot pool, including disk layout, health status, and capacity. Read docker_config Get the current Docker/container runtime configuration, including pool and image update settings. Read update_check Check for available system updates. Returns information about pending updates and the current train. Read update_config Get the current update configuration, including the active update train.
EXPLORE

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Sperax Ecosystem Crypto & DeFI MCP Server 1318 tools
adminautomation
Mcp Afip 1300 tools
adminautomation
Mcp Ap2 1300 tools
adminautomation
BNB Chain MCP 1240 tools
adminautomation
Nodebench 824 tools
adminautomation
Amazon Bedrock Knowledge Base Retrieval MCP Server 805 tools
adminautomation
Amazon Data Processing MCP Server 805 tools
adminautomation
Amazon ECS MCP Server 805 tools
adminautomation
FAQ

Questions about Truenas

Can an AI agent delete data through the Truenas MCP server? +

Yes. The Truenas server exposes 46 destructive tools including acme_dns_authenticator_delete, alertservice_delete, api_key_delete. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Truenas? +

The Truenas server has 89 write tools including bootenv_keep, alert_dismiss, snapshot_clone. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach Truenas.

How many tools does the Truenas MCP server expose? +

279 tools across 4 categories: Destructive, Execute, Read, Write. 110 are read-only. 169 can modify, create, or delete data.

How do I enforce a policy on Truenas? +

Register the Truenas MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Truenas tool call.

Deterministic rules across all 279 Truenas tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

ENFORCE POLICY ON TRUENAS →

Free to start. No card required.

279 Truenas tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.