← Back to Skills Marketplace
sally-labs

Sally AI

by Sally Labs · GitHub ↗ · v1.0.4
cross-platform ⚠ suspicious
790
Downloads
5
Stars
2
Active Installs
5
Versions
Install in OpenClaw
/install sally-ai
Description
Chat with Sally about metabolic health, blood sugar, A1C, nutrition, fasting, supplements, and lab results. Uses the Sally MCP server on Smithery with x402 m...
Usage Guidance
This skill’s payment model (Smithery + x402) can be legitimate, but do not paste your wallet private key into a command or URL unless you fully trust Smithery and understand the risks. Command-line/private-key exposure can leak via shell history, process lists, CI logs, or backups. Before installing/use: (1) Confirm Smithery and the Sally MCP source code (the GitHub repo) are trustworthy and review how Smithery stores and uses keys. (2) Prefer safer signing options (smithery auth login, hardware wallet, remote signing, or ephemeral wallets) instead of embedding a raw private key. (3) If you must proceed, create a dedicated hot wallet with minimal funds as the skill advises and pin the smithery CLI to a specific, reviewed version instead of @latest. (4) Consider testing with an empty/low‑value wallet first and monitor chain transactions. If you are not comfortable with Smithery having custody of a private key, do not install or use this skill.
Capability Analysis
Type: OpenClaw Skill Name: sally-ai Version: 1.0.4 The skill is classified as suspicious due to a significant security vulnerability in its setup instructions within `SKILL.md`. It explicitly instructs the user to provide their private key directly on the command line (`smithery mcp add ... privateKey=0xYOUR_PRIVATE_KEY`). While the documentation claims the key is stored encrypted in Smithery's cloud and Clawbot never sees it, passing a private key via command-line arguments is a critical security risk, as it can expose the key in shell history, process lists, or system logs. This constitutes a severe vulnerability, even if not indicative of intentional malicious exfiltration by the skill developer.
Capability Assessment
Purpose & Capability
Requiring the smithery CLI and an x402 wallet is consistent with the skill's stated micropayment-based design for a paid chat service. Asking the user to register an MCP endpoint with Smithery aligns with that purpose. However, the way the private key is delivered (embedded in the mcp add URL/command) is not a necessary or standard practice for a chat-only skill and raises concerns.
Instruction Scope
SKILL.md explicitly instructs users to include their wallet private key in the smithery mcp add command (as a URL query parameter). That exposes the private key to shell history, process listings, and possibly logs. The README claims 'Clawbot never sees your private key' and that Smithery stores it encrypted, but the instructions grant Smithery full custody of the private key — this is broader scope than a typical chat skill and is a sensitive, high-risk action.
Install Mechanism
Install uses npm formula @smithery/cli@latest to create the smithery binary. Installing a CLI from the npm registry is a common pattern (moderate risk). Using the @latest tag is convenient but less reproducible and could introduce unexpected updates; no obscure download URLs are present.
Credentials
The skill declares no required env vars, yet the runtime instructions require you to hand over a private key to an external service. Requesting a wallet private key (sensitive credential) is disproportionate for a chat skill unless the payment design truly requires key custody. The documentation does not offer safer alternatives (e.g., local signing, hardware wallet, remote signing via OAuth) and exposes the key in command-line form.
Persistence & Privilege
The skill is not always-enabled, requests no config paths, and does not ask to modify other skills. It does rely on a third-party cloud (Smithery) to store keys, but the skill itself does not request elevated persistent platform privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install sally-ai
  3. After installation, invoke the skill by name or use /sally-ai
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.4
- Updated setup instructions to require users to add their own dedicated wallet private key to Smithery for x402 micropayments - Clarified that Clawbot never sees the user's private key; it is stored encrypted in Smithery's cloud only - Expanded security and privacy sections with connection details, best practices for wallet usage, and data flow diagrams - Adjusted description and homepage formatting for clarity and accuracy - Removed references to pre-configured payment; setup now requires explicit wallet provisioning by user
v1.0.3
- Updated setup instructions to reference Option C from the Sally MCP documentation; simplified and removed private key handling steps. - Clarified that all payments are handled automatically by Smithery—users should not initiate payments or share private keys. - Added Traditional Chinese Medicine (TCM) for metabolic health to the skill’s scope. - Enhanced and simplified security and privacy explanations, emphasizing background payment management. - Added a .gitignore file.
v1.0.2
- Updated setup instructions: Smithery now stores the wallet private key in encrypted cloud storage instead of locally. - Improved security messaging: Emphasized that Clawbot never accesses your private key and explained the new storage flow. - Clarified wallet usage recommendations and best practices. - Expanded setup and verification steps for clearer onboarding. - Streamlined and clarified sections on data flow and the x402 protocol.
v1.0.1
Added Security & Privacy section addressing OpenClaw security scanner concerns. No functional changes.
v1.0.0
Initial release — metabolic health AI via Sally MCP on Smithery with x402
Metadata
Slug sally-ai
Version 1.0.4
License
All-time Installs 2
Active Installs 2
Total Versions 5
Frequently Asked Questions

What is Sally AI?

Chat with Sally about metabolic health, blood sugar, A1C, nutrition, fasting, supplements, and lab results. Uses the Sally MCP server on Smithery with x402 m... It is an AI Agent Skill for Claude Code / OpenClaw, with 790 downloads so far.

How do I install Sally AI?

Run "/install sally-ai" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Sally AI free?

Yes, Sally AI is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Sally AI support?

Sally AI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Sally AI?

It is built and maintained by Sally Labs (@sally-labs); the current version is v1.0.4.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments