Saturnday
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Saturnday is a coherent, disclosed wrapper around a security/governance CLI, but its run modes can modify a chosen repository and send repository contents to an AI backend.
This skill appears purpose-aligned rather than malicious. Before installing or invoking run/guard modes, confirm you trust the external `saturnday` package, run it only on intended repositories, review changes before merging, and avoid AI-backed runs on codebases containing secrets or sensitive proprietary content unless the selected provider is approved.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong folder or branch, the skill may change project files or repository state.
The skill explicitly discloses that some modes can change the selected repository, which is purpose-aligned for governed execution but high-impact enough for users to notice.
Run and Guard modes modify the target repository (git commits, evidence directories).
Run it only on intended repositories, preferably with a clean git status or backup, and review generated changes before merging or deploying.
The skill may use your configured AI provider account for code generation and related requests.
Run mode can use locally configured AI provider credentials, which is expected for the advertised backend integrations but still grants access to paid or account-scoped services.
if os.environ.get("OPENAI_API_KEY"):
return "openai"
if os.environ.get("ANTHROPIC_API_KEY"):
return "anthropic"Use a credential with appropriate limits and revoke or rotate it if you no longer need this integration.
Private source code or configuration present in the target repository may be sent to the selected AI backend.
The artifact clearly discloses an external AI-provider data flow involving repository contents; this is core to run mode but may include sensitive code or configuration.
Run mode transmits repository contents to the chosen AI backend for code generation.
Do not run AI-backed modes on repositories containing secrets or confidential code unless the provider and account policy are acceptable.
Installing without a pinned version may fetch a newer package version than the reviewed skill expected.
The skill depends on an external PyPI-installed CLI for its main behavior. This is disclosed and purpose-aligned, but the install command is unpinned in the provided artifacts.
Requires: `pip install saturnday`
Install from a trusted source and consider pinning the expected Saturnday version when using it in controlled environments.