ClawHub

Amernet AI SaaS

v1.0.0

Connect your AI SaaS intelligent agent to any messaging channel via OpenClaw (WhatsApp, Telegram, Slack, Discord, iMessage, and more)

0· 549·1 current·1 all-time
by@amernet
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionality described (forward messages from channels to an AI SaaS chatbot, maintain per-user sessions, reset/status endpoints) aligns with the skill name and description. Required credentials (API key and chatbot ID) are appropriate for that purpose. However, the registry metadata at the top of the report claims no required env vars or primary credential while package.json and SKILL.md both declare required env vars (AI_SAAS_API_KEY, AI_SAAS_CHATBOT_ID, AI_SAAS_BASE_URL). This packaging metadata mismatch is inconsistent and may cause misconfiguration or surprise.
!
Instruction Scope
SKILL.md instructs the agent to forward ANY user message from connected channels to the external AI SaaS and to store API credentials in ~/.openclaw/openclaw.json. Forwarding all messages by default has privacy implications (sensitive user content will be sent to a third party). The instructions otherwise remain scoped to the described task (POST/DELETE/GET to the SaaS API). There are also small naming inconsistencies between SKILL.md, README, and README examples (e.g., skill entry named 'amernet-ai-saas' vs README showing 'ai-saas') that could lead to misconfiguration.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk, which is the lowest-risk install mechanism. There are no external downloads or package installs specified.
!
Credentials
The skill requires an API key and chatbot ID on the AI SaaS — expected and proportional for this integration. However, SKILL.md instructs creating an API key with 'all' permissions; that scope may be broader than technically necessary (depends on SaaS API design). The skill will send all user messages to the external service and can clear conversations via DELETE, so the API key could enable reading/writing conversation data. Also, the registry metadata incorrectly listed no required env vars while package.json and SKILL.md list them, an inconsistency that should be resolved before trusting configuration.
Persistence & Privilege
The skill does not request 'always: true' and does not claim elevated platform privileges. It instructs the user to add env entries to their OpenClaw config (normal for skills). Autonomous invocation is allowed (disable-model-invocation: false), which is the platform default; combined with the fact the skill forwards all messages to an external service, this increases blast radius but is not an unusual configuration for a messaging integration.
What to consider before installing
This skill implements what it claims, but check these points before installing: - Privacy: the skill forwards ANY message from connected channels to a third-party SaaS (saas.salesbay.ai by default). Do you and your users consent to those messages being sent off-site? Avoid installing in environments that handle sensitive data unless you’ve verified the SaaS provider’s privacy/security posture. - API key scope: SKILL.md asks for a key with 'all' permissions. Confirm whether a narrower scope is possible and use the least-privilege key. Understand that the key allows the skill to send messages and clear conversations. - Metadata inconsistencies: the platform metadata shown at the top claims no required env vars, while package.json and SKILL.md require API key and chatbot ID. Also README uses a different skill entry name ('ai-saas' vs 'amernet-ai-saas'). Resolve these naming/metadata mismatches to avoid misconfiguration and accidental credential exposure. - Configuration path: follow the SKILL.md guidance to store envs in ~/.openclaw/openclaw.json under the correct skill entry name — ensure you use the same slug the platform expects. - Test safely: try this in a non-production workspace with a limited-scope API key and a test chatbot to confirm behavior before rolling out. If you want, I can list exact configuration lines to add or suggest a minimal-permission request to ask the SaaS provider.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cyznhjvdxm9pd89q1v9vhan81nj3k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments