SmartSaaS
ReviewAudited by ClawScan on May 18, 2026.
Overview
SmartSaaS is a coherent SaaS-management skill, but one central script disables HTTPS certificate checks while sending the API key, and the skill has broad account-changing capabilities users should review carefully.
Review before installing. If you use it, set a narrowly scoped SmartSaaS API key, fix or avoid the add-to-dataset script until TLS verification is corrected, and only run mutating actions such as integrations, campaigns, emails, team changes, and cron/webhooks when you explicitly intend them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured proxy could potentially capture the SmartSaaS API key or alter dataset item requests.
This script sends the SmartSaaS bearer API key with curl while disabling HTTPS certificate validation for any HTTPS base URL, not just localhost. That can expose the API key and dataset updates to interception or tampering.
AUTH_HEADER="Authorization: Bearer $KEY" CURL_OPTS="-s -S" [[ "$BASE" == https://* ]] && CURL_OPTS="$CURL_OPTS -k"
Remove global `-k`; only allow insecure TLS for explicit localhost development, validate the base URL, and rotate the API key if it may have been used over an untrusted network.
Anyone or any agent action using this key may be able to read or change business data in SmartSaaS within the key's permissions.
The API key is expected for this integration and the artifacts say not to echo it, but it can grant read/write access to SmartSaaS account resources.
The API key is created in SmartSaaS (APIScreen) with permissions such as `data:read`, `data:write`, `projects:read`, `projects:write`. Do not log or echo the API key.
Use a least-privilege SmartSaaS API key scoped only to the actions you need, and revoke or rotate it if the skill or local repo is no longer trusted.
A cron configuration could continue triggering SmartSaaS/OpenClaw events until disabled.
The skill can configure scheduled backend jobs that may keep dispatching webhook payloads after the current conversation. This is disclosed and purpose-aligned, but it is persistent behavior.
# POSTs cron/schedule config to SmartSaaS. Backend may use this to register jobs that dispatch to the openclaw webhook. # Config typically includes: schedule (cron expression or name), payload, enabled, etc.
Only configure cron/webhook jobs when explicitly needed, review the payload and schedule, and keep a clear way to disable or audit active jobs.
If the local repo path is replaced or modified, OpenClaw may load changed skill code outside the normal install flow.
The documented install path relies on a local repo loaded through extraDirs rather than a normal install spec. That can be legitimate, but users must trust the local files they add.
This skill is not installed via clawhub. Tell the user: (1) Add the path to this repo's `skills` folder to `skills.load.extraDirs` in `~/.openclaw/openclaw.json`.
Install only from a trusted local checkout, review updates before restarting OpenClaw, and keep the skill directory permissions controlled.