← 返回 Skills 市场
smartsaas

SmartSaaS

作者 Saf · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
235
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install smartsaas-ai
功能描述
Install via extraDirs (not clawhub). Never auto-add items: only add when user explicitly asks; user defines what to add. Scripts: create-dataset.sh, add-to-d...
安全使用建议
What to consider before installing or enabling this skill: - Metadata mismatch: The skill manifest claims no required environment variables or binaries, but the scripts require SMARTSAAS_BASE_URL and SMARTSAAS_API_KEY and some scripts call python3. Do not rely on the registry metadata; treat SMARTSAAS_BASE_URL and SMARTSAAS_API_KEY as required and ensure python3 is present if you will resolve folders by name. - Credential scope and placement: The API key grants broad access to the backend (create datasets, list users, remove integrations, dispatch webhooks). Use a scoped/dedicated API key with least privilege, and set it in OpenClaw's skill env (skills.entries.smartsaas.env) rather than pasting it in chat. Confirm the key's permissions before use. - Inconsistencies to fix or review: add-to-dataset behavior in the code differs from SKILL.md (wrapper vs direct payload), and the script emits a curl example on error (contradicting 'do not show curl'). These inconsistencies can lead to wrong API payloads or accidental exposure of usage patterns. Review add-to-dataset.sh and the SKILL.md guidance and test the scripts in an isolated environment to confirm expected behavior. - Source verification: The skill's source is 'unknown' and homepage is missing. If you plan to run these scripts against production data, verify the author and repository integrity (or run in a sandbox first). Consider running it in a staging environment and auditing traffic to the SMARTSAAS_BASE_URL. - Runtime safety: Because the skill issues network requests to the configured base URL, run it only with a backend you trust. If you enable cron/dispatch scripts, be careful: configure webhook targets and schedules deliberately to avoid unexpected automated actions. If you want, I can list the exact lines in add-to-dataset.sh and SKILL.md that contradict each other, or produce a recommended corrected SKILL.md / metadata snippet that declares the required env vars and binaries.
功能分析
Type: OpenClaw Skill Name: smartsaas-ai Version: 1.0.0 The skill bundle exhibits several high-risk behaviors and security vulnerabilities. Multiple scripts (e.g., add-to-dataset.sh, create-dataset.sh, and others) use 'curl -k', which disables SSL certificate verification, exposing the agent to man-in-the-middle attacks. The SKILL.md instructions explicitly command the AI to bypass the standard 'clawhub' installation process in favor of manual configuration via 'extraDirs', which can be used to evade security auditing. Additionally, the scripts use 'sed' for JSON construction, which is highly brittle and susceptible to injection vulnerabilities if user-provided data contains special characters.
能力评估
Purpose & Capability
The skill's purpose (SmartSaaS API client) matches the scripts' behavior: they call a base URL using an API key to manage datasets, projects, templates, webhooks, etc. However the registry metadata claims no required environment variables or binaries, while SKILL.md and almost every script require SMARTSAAS_BASE_URL and SMARTSAAS_API_KEY (and some scripts invoke python3). The missing declaration of those env vars/binaries in the registry metadata is an incoherence.
Instruction Scope
SKILL.md emphatically instructs agents to use the included shell scripts (execute_shell), never to show or run curl, and to never ask users for API tokens. The scripts themselves use curl and read SMARTSAAS_BASE_URL / SMARTSAAS_API_KEY from env, which is consistent. But there are direct contradictions: SKILL.md documents that add-to-dataset sends body wrapped as {"data":...}, while the actual scripts (add-to-dataset.sh) post the payload directly (no wrapper). add-to-dataset.sh also prints a curl example (contradicting 'never show curl'). The add-to-dataset.sh resolves folder names by listing folders and parsing JSON with python3 — this requires python3 to be present though metadata does not declare it. These inconsistencies could cause the agent to construct wrong requests or to leak guidance that includes curl examples or examples referencing env vars.
Install Mechanism
There is no remote install step or download in the skill manifest — it's instruction-only and includes scripts in the repo. No network-based install instructions from untrusted URLs are present. That reduces install-time risk.
Credentials
Requesting SMARTSAAS_BASE_URL and SMARTSAAS_API_KEY is proportionate to the skill's function (API calls). However the skill metadata failed to declare these required env vars, and some scripts assume python3 and curl behaviour. The skill does not ask for unrelated credentials. Because the API key provides broad access to a backend (data:read/write, projects, integrations, webhooks), ensure the key has minimal necessary scopes and consider using a dedicated API key for this skill.
Persistence & Privilege
The skill is not always-enabled and does not request changes to other skills or global configs. It expects to be loaded via extraDirs; that is normal and not privileged. The scripts themselves do not install persistent services or modify other skills.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install smartsaas-ai
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /smartsaas-ai 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
SmartSaaS Skill v1.0.0 — initial release - Adds support for creating and managing datasets and items via shell scripts (create-dataset.sh, add-to-dataset.sh) using execute_shell only. - Requires explicit user instructions to add items; never auto-adds or infers items. - Installation is via extraDirs in openclaw.json, not clawhub. - Scripts use positional arguments only; do not use flags like --name or --dataset. - API credentials (SMARTSAAS_BASE_URL, SMARTSAAS_API_KEY) are read from the environment; users are never prompted to provide keys in chat. - All interactions are via provided scripts—never via curl or direct HTTP requests.
元数据
Slug smartsaas-ai
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

SmartSaaS 是什么?

Install via extraDirs (not clawhub). Never auto-add items: only add when user explicitly asks; user defines what to add. Scripts: create-dataset.sh, add-to-d... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 235 次。

如何安装 SmartSaaS?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install smartsaas-ai」即可一键安装,无需额外配置。

SmartSaaS 是免费的吗?

是的,SmartSaaS 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

SmartSaaS 支持哪些平台?

SmartSaaS 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 SmartSaaS?

由 Saf(@smartsaas)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 留言讨论