SAA Agent
PassAudited by ClawScan on May 1, 2026.
Overview
The skill coherently wraps a user-provided SAA image-generation backend, with disclosed network use, optional credentials, and a force-unlock option that should be used carefully.
Before installing, make sure you trust the included script and dependencies, use only a trusted SAA backend address, avoid sharing unrelated credentials, and only allow the skeleton-key unlock when you are sure the backend is stuck and no other generation is active.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the unlock option could disrupt another active or stuck image-generation job on the SAA backend.
This is a backend-state-changing operation that can interfere with other generation work, but it is disclosed and the skill requires explicit user confirmation.
The `--skeleton-key` parameter forcefully unlocks the backend's atomic lock... ALWAYS ask for user confirmation before using `--skeleton-key`
Use the skeleton key only after confirming the backend is stuck and no other process or user is actively generating.
A user may provide backend login details to the agent/CLI, so those credentials should be treated as sensitive.
The CLI can take SAA backend authentication credentials. This is expected for a backend integration, and the artifacts do not show hardcoded credentials or credential exfiltration.
`--username`: Username for authentication (default: `saac_user`) - `--password`: Password for authentication (default: empty)
Use only SAA-specific credentials with the minimum needed access, and avoid sharing unrelated passwords.
Different dependency versions could be installed depending on the user's environment and package index.
The setup uses user-directed installation of unpinned Python packages. This is normal for a Python CLI, but package provenance and versions are not locked in the artifacts.
pip install websockets aiohttp
Install dependencies from a trusted package source and consider pinning versions in controlled environments.
Prompts, generation settings, and any provided backend credentials may be sent to the configured SAA endpoint.
The tool sends generation requests through a user-provided WebSocket backend. This is central to the stated purpose, but the endpoint identity depends on what the user provides.
`--ws-address`: WebSocket address (obtain from user)
Provide only trusted SAA WebSocket addresses, preferably local or otherwise controlled by the user.