← Back to Skills Marketplace
103
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install sat-agent
Description
Run the pure-LLM variant of the QLCoder workflow for both CVE samples and local Web App repositories. Supports multi-profile taint-flow analysis with source/...
Usage Guidance
This skill runs local repository-wide scanning and executes subprocesses (it invokes python -m qlcoder.cli and similar). Before installing or running: 1) Confirm the QLCoder project you expect is present (qlcoder/cli.py) and that you trust that code; 2) Inspect scripts/run_pure_llm.py (already bundled) to ensure there are no hidden network calls or unexpected commands beyond the visible filesystem scanning and subprocess usage; 3) Note the SKILL.md contains developer-specific absolute paths (/Users/aibot/...), update those to your environment or run from a copy; 4) Run the skill in an isolated sandbox or on a non-sensitive copy of the repository first; 5) If you need stronger assurance, ask the publisher to fix the naming/packaging inconsistencies and remove hard-coded paths. These discrepancies (name mismatch and hard-coded paths) are the main reasons this analysis is flagged as suspicious rather than benign.
Capability Analysis
Type: OpenClaw Skill
Name: sat-agent
Version: 1.0.0
The skill bundle is a specialized security analysis tool designed to perform static taint-flow analysis on Java and Python web applications. The core logic in `scripts/run_pure_llm.py` uses regex-based pattern matching to identify potential XSS, SQL injection, and broken access control vulnerabilities, with specific heuristics tailored for the RuoYi framework. While the script utilizes high-risk capabilities such as `subprocess.run` and filesystem access, these actions are strictly aligned with its stated purpose of vulnerability research and reporting. No evidence of malicious intent, data exfiltration, or prompt injection was found; the hardcoded absolute paths (e.g., in `SKILL.md`) appear to be environment-specific configurations for a research workspace.
Capability Assessment
Purpose & Capability
The SKILL.md and bundled files implement a QLCoder pure-LLM taint-flow analysis (Java/Python web) which matches the described capability, but the registry metadata/name ('SATAgent') does not match the SKILL.md name/slug (qlcoder-pure-llm / coder-pure-llm). This naming mismatch and leftover absolute paths (e.g., /Users/aibot/...) are incongruent and suggest sloppy packaging or repackaging.
Instruction Scope
Instructions intentionally read repository files, build manifests, and run local analysis; the bundled script performs wide file-system scanning (rglob over repo), pattern matching, writes JSON artifacts, and calls subprocess.run to invoke external commands (e.g., python -m qlcoder.cli). Those actions are consistent with code-analysis purpose, but SKILL.md contains hard-coded absolute developer paths and encourages running the wrapper which will search the entire repo — a significant scope that should be reviewed by the user.
Install Mechanism
No install spec or remote downloads are present; the skill is instruction-only with a bundled Python script. Nothing external is fetched during install by the skill package itself.
Credentials
The skill declares no required environment variables or credentials and the code does not require external tokens. It reads local files and may invoke local Python modules; no unnecessary secrets access is requested.
Persistence & Privilege
always:false and no special persistence or modifications to other skills are requested. The skill can be invoked by the model (normal default). The primary risk is the skill's ability to read workspace/repo files and run subprocesses when executed.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sat-agent - After installation, invoke the skill by name or use
/sat-agent - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Version 1.0.0 Summary: Major overhaul from SAT prep assistant to QLCoder Pure LLM taint-flow security analysis workflow.
- Replaces all SAT-specific content and files with QLCoder pure-LLM taint-flow analysis for Java/Python Web Apps.
- Adds support for CVE sample manifest and local repository security workflows.
- Introduces multi-profile source/sink/sanitizer typing and emits triaged findings summaries.
- Provides quick start, detailed workflow instructions, references, and output contract for results.
- Removes SAT topic files, college planning, and test prep logic in favor of security analysis documentation.
Metadata
Frequently Asked Questions
What is SATAgent?
Run the pure-LLM variant of the QLCoder workflow for both CVE samples and local Web App repositories. Supports multi-profile taint-flow analysis with source/... It is an AI Agent Skill for Claude Code / OpenClaw, with 103 downloads so far.
How do I install SATAgent?
Run "/install sat-agent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SATAgent free?
Yes, SATAgent is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does SATAgent support?
SATAgent is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SATAgent?
It is built and maintained by SeTG-git (@setg-git); the current version is v1.0.0.
More Skills