ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SAA Agent

v1.0.1

Enables AI agents to generate images using the Character Select Stand Alone App (SAA) image generation backend via command-line interface.

0· 966·0 current·0 all-time
by@mirabarukaso
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description state a CLI client for the Character Select SAA backend and the included code, README, and SKILL.md implement exactly that: WebSocket/API addresses, model/prompt parameters, HiResFix and skeleton-key controls. There are no unrelated environment variables, external credentials, or unexpected binaries declared.
Instruction Scope
SKILL.md instructs the agent to confirm backend availability, SAAC is enabled, and to get a WebSocket address from the user — which matches a networked CLI client. It explicitly forbids automatic retries and requires explicit user consent before using --skeleton-key. Note: because the tool sends prompts and model parameters to whatever ws-address is provided, the user (or agent) should ensure that address is trusted to avoid sending prompts/data to an untrusted remote server.
Install Mechanism
No install spec; this is instruction + a Python script. That reduces installation risk because nothing is downloaded or installed automatically by the skill bundle itself.
Credentials
The skill declares no required environment variables or credentials. The code accepts connection credentials via CLI flags (username/password) but defaults are benign; there are no unrelated credential requests.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges. It does include a 'skeleton-key' option that force-unlocks the backend, but SKILL.md mandates explicit user confirmation before use.
Assessment
This package appears to be a coherent local CLI client for the SAA image backend. Before installing/using it: 1) only provide ws-address values that you trust (sending prompts to an arbitrary remote ws could leak your prompts or data); 2) be cautious with --skeleton-key (it force-unlocks/backends and should only be used with explicit confirmation); 3) base64 output writes large data to stdout — avoid piping to untrusted endpoints; 4) the skill's source/homepage is not provided here, so if provenance matters, review the full saa-agent.py contents yourself or run it in an isolated environment. If you want extra assurance, ask the author for the official project URL or compare with the upstream repository mentioned in the README before using.

Like a lobster shell, security has layers — review code before you run it.

latestvk977my898tr3xf5r904qmt4cen80y7s0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments