← 返回 Skills 市场
103
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install sat-agent
功能描述
Run the pure-LLM variant of the QLCoder workflow for both CVE samples and local Web App repositories. Supports multi-profile taint-flow analysis with source/...
安全使用建议
This skill runs local repository-wide scanning and executes subprocesses (it invokes python -m qlcoder.cli and similar). Before installing or running: 1) Confirm the QLCoder project you expect is present (qlcoder/cli.py) and that you trust that code; 2) Inspect scripts/run_pure_llm.py (already bundled) to ensure there are no hidden network calls or unexpected commands beyond the visible filesystem scanning and subprocess usage; 3) Note the SKILL.md contains developer-specific absolute paths (/Users/aibot/...), update those to your environment or run from a copy; 4) Run the skill in an isolated sandbox or on a non-sensitive copy of the repository first; 5) If you need stronger assurance, ask the publisher to fix the naming/packaging inconsistencies and remove hard-coded paths. These discrepancies (name mismatch and hard-coded paths) are the main reasons this analysis is flagged as suspicious rather than benign.
功能分析
Type: OpenClaw Skill
Name: sat-agent
Version: 1.0.0
The skill bundle is a specialized security analysis tool designed to perform static taint-flow analysis on Java and Python web applications. The core logic in `scripts/run_pure_llm.py` uses regex-based pattern matching to identify potential XSS, SQL injection, and broken access control vulnerabilities, with specific heuristics tailored for the RuoYi framework. While the script utilizes high-risk capabilities such as `subprocess.run` and filesystem access, these actions are strictly aligned with its stated purpose of vulnerability research and reporting. No evidence of malicious intent, data exfiltration, or prompt injection was found; the hardcoded absolute paths (e.g., in `SKILL.md`) appear to be environment-specific configurations for a research workspace.
能力评估
Purpose & Capability
The SKILL.md and bundled files implement a QLCoder pure-LLM taint-flow analysis (Java/Python web) which matches the described capability, but the registry metadata/name ('SATAgent') does not match the SKILL.md name/slug (qlcoder-pure-llm / coder-pure-llm). This naming mismatch and leftover absolute paths (e.g., /Users/aibot/...) are incongruent and suggest sloppy packaging or repackaging.
Instruction Scope
Instructions intentionally read repository files, build manifests, and run local analysis; the bundled script performs wide file-system scanning (rglob over repo), pattern matching, writes JSON artifacts, and calls subprocess.run to invoke external commands (e.g., python -m qlcoder.cli). Those actions are consistent with code-analysis purpose, but SKILL.md contains hard-coded absolute developer paths and encourages running the wrapper which will search the entire repo — a significant scope that should be reviewed by the user.
Install Mechanism
No install spec or remote downloads are present; the skill is instruction-only with a bundled Python script. Nothing external is fetched during install by the skill package itself.
Credentials
The skill declares no required environment variables or credentials and the code does not require external tokens. It reads local files and may invoke local Python modules; no unnecessary secrets access is requested.
Persistence & Privilege
always:false and no special persistence or modifications to other skills are requested. The skill can be invoked by the model (normal default). The primary risk is the skill's ability to read workspace/repo files and run subprocesses when executed.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sat-agent - 安装完成后,直接呼叫该 Skill 的名称或使用
/sat-agent触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Version 1.0.0 Summary: Major overhaul from SAT prep assistant to QLCoder Pure LLM taint-flow security analysis workflow.
- Replaces all SAT-specific content and files with QLCoder pure-LLM taint-flow analysis for Java/Python Web Apps.
- Adds support for CVE sample manifest and local repository security workflows.
- Introduces multi-profile source/sink/sanitizer typing and emits triaged findings summaries.
- Provides quick start, detailed workflow instructions, references, and output contract for results.
- Removes SAT topic files, college planning, and test prep logic in favor of security analysis documentation.
元数据
常见问题
SATAgent 是什么?
Run the pure-LLM variant of the QLCoder workflow for both CVE samples and local Web App repositories. Supports multi-profile taint-flow analysis with source/... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 103 次。
如何安装 SATAgent?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sat-agent」即可一键安装,无需额外配置。
SATAgent 是免费的吗?
是的,SATAgent 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
SATAgent 支持哪些平台?
SATAgent 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SATAgent?
由 SeTG-git(@setg-git)开发并维护,当前版本 v1.0.0。
推荐 Skills