← Back to Skills Marketplace

SmartSaaS

Name: SmartSaaS
Author: smartsaas

by Saf · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

235

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install smartsaas-ai

Description

Install via extraDirs (not clawhub). Never auto-add items: only add when user explicitly asks; user defines what to add. Scripts: create-dataset.sh, add-to-d...

Usage Guidance

What to consider before installing or enabling this skill: - Metadata mismatch: The skill manifest claims no required environment variables or binaries, but the scripts require SMARTSAAS_BASE_URL and SMARTSAAS_API_KEY and some scripts call python3. Do not rely on the registry metadata; treat SMARTSAAS_BASE_URL and SMARTSAAS_API_KEY as required and ensure python3 is present if you will resolve folders by name. - Credential scope and placement: The API key grants broad access to the backend (create datasets, list users, remove integrations, dispatch webhooks). Use a scoped/dedicated API key with least privilege, and set it in OpenClaw's skill env (skills.entries.smartsaas.env) rather than pasting it in chat. Confirm the key's permissions before use. - Inconsistencies to fix or review: add-to-dataset behavior in the code differs from SKILL.md (wrapper vs direct payload), and the script emits a curl example on error (contradicting 'do not show curl'). These inconsistencies can lead to wrong API payloads or accidental exposure of usage patterns. Review add-to-dataset.sh and the SKILL.md guidance and test the scripts in an isolated environment to confirm expected behavior. - Source verification: The skill's source is 'unknown' and homepage is missing. If you plan to run these scripts against production data, verify the author and repository integrity (or run in a sandbox first). Consider running it in a staging environment and auditing traffic to the SMARTSAAS_BASE_URL. - Runtime safety: Because the skill issues network requests to the configured base URL, run it only with a backend you trust. If you enable cron/dispatch scripts, be careful: configure webhook targets and schedules deliberately to avoid unexpected automated actions. If you want, I can list the exact lines in add-to-dataset.sh and SKILL.md that contradict each other, or produce a recommended corrected SKILL.md / metadata snippet that declares the required env vars and binaries.

Capability Analysis

Type: OpenClaw Skill Name: smartsaas-ai Version: 1.0.0 The skill bundle exhibits several high-risk behaviors and security vulnerabilities. Multiple scripts (e.g., add-to-dataset.sh, create-dataset.sh, and others) use 'curl -k', which disables SSL certificate verification, exposing the agent to man-in-the-middle attacks. The SKILL.md instructions explicitly command the AI to bypass the standard 'clawhub' installation process in favor of manual configuration via 'extraDirs', which can be used to evade security auditing. Additionally, the scripts use 'sed' for JSON construction, which is highly brittle and susceptible to injection vulnerabilities if user-provided data contains special characters.

Capability Assessment

⚠ Purpose & Capability

The skill's purpose (SmartSaaS API client) matches the scripts' behavior: they call a base URL using an API key to manage datasets, projects, templates, webhooks, etc. However the registry metadata claims no required environment variables or binaries, while SKILL.md and almost every script require SMARTSAAS_BASE_URL and SMARTSAAS_API_KEY (and some scripts invoke python3). The missing declaration of those env vars/binaries in the registry metadata is an incoherence.

⚠ Instruction Scope

SKILL.md emphatically instructs agents to use the included shell scripts (execute_shell), never to show or run curl, and to never ask users for API tokens. The scripts themselves use curl and read SMARTSAAS_BASE_URL / SMARTSAAS_API_KEY from env, which is consistent. But there are direct contradictions: SKILL.md documents that add-to-dataset sends body wrapped as {"data":...}, while the actual scripts (add-to-dataset.sh) post the payload directly (no wrapper). add-to-dataset.sh also prints a curl example (contradicting 'never show curl'). The add-to-dataset.sh resolves folder names by listing folders and parsing JSON with python3 — this requires python3 to be present though metadata does not declare it. These inconsistencies could cause the agent to construct wrong requests or to leak guidance that includes curl examples or examples referencing env vars.

✓ Install Mechanism

There is no remote install step or download in the skill manifest — it's instruction-only and includes scripts in the repo. No network-based install instructions from untrusted URLs are present. That reduces install-time risk.

ℹ Credentials

Requesting SMARTSAAS_BASE_URL and SMARTSAAS_API_KEY is proportionate to the skill's function (API calls). However the skill metadata failed to declare these required env vars, and some scripts assume python3 and curl behaviour. The skill does not ask for unrelated credentials. Because the API key provides broad access to a backend (data:read/write, projects, integrations, webhooks), ensure the key has minimal necessary scopes and consider using a dedicated API key for this skill.

✓ Persistence & Privilege

The skill is not always-enabled and does not request changes to other skills or global configs. It expects to be loaded via extraDirs; that is normal and not privileged. The scripts themselves do not install persistent services or modify other skills.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install smartsaas-ai
After installation, invoke the skill by name or use /smartsaas-ai
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

SmartSaaS Skill v1.0.0 — initial release - Adds support for creating and managing datasets and items via shell scripts (create-dataset.sh, add-to-dataset.sh) using execute_shell only. - Requires explicit user instructions to add items; never auto-adds or infers items. - Installation is via extraDirs in openclaw.json, not clawhub. - Scripts use positional arguments only; do not use flags like --name or --dataset. - API credentials (SMARTSAAS_BASE_URL, SMARTSAAS_API_KEY) are read from the environment; users are never prompted to provide keys in chat. - All interactions are via provided scripts—never via curl or direct HTTP requests.

Metadata

Slug smartsaas-ai

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is SmartSaaS?

Install via extraDirs (not clawhub). Never auto-add items: only add when user explicitly asks; user defines what to add. Scripts: create-dataset.sh, add-to-d... It is an AI Agent Skill for Claude Code / OpenClaw, with 235 downloads so far.

How do I install SmartSaaS?

Run "/install smartsaas-ai" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is SmartSaaS free?

Yes, SmartSaaS is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does SmartSaaS support?

SmartSaaS is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created SmartSaaS?

It is built and maintained by Saf (@smartsaas); the current version is v1.0.0.

More Skills