Is juniorxcoder/saas-orchestrator safe?
https://github.com/openclaw/skills/tree/main/skills/juniorxcoder/saas-orchestrator
The saas-orchestrator skill is a legitimate SaaS project management and subagent orchestration tool with no malicious code, prompt injection attempts, or data exfiltration capabilities. All Python scripts are stdlib-only and write only to the local filesystem; no attacker-controlled network endpoints were contacted during install, and the canary file access events in monitoring are attributable to the oathe audit framework's own integrity checks rather than skill-initiated reads. The modest concerns are behavioral: the skill's design for spawning multiple subagents could cause uncontrolled API cost escalation in an automated context, the pervasive $1000+ MRR revenue framing could bias agent decisions away from user intent, and scripts silently write output files to the working directory on every invocation.
Category Scores
Findings (6)
LOW Scripts silently write files to CWD on every invocation -20 ▶
factory-status.py automatically calls save_status_report() at the end of its main block, writing factory_status_TIMESTAMP.txt to whatever directory the agent runs from, without requesting user confirmation. Both spawn scripts do the same for task template files. In an automated or multi-agent context this will create file accumulation the user may not expect or want.
LOW JUNAI persona branding could shift agent identity and goal framing -10 ▶
The skill introduces a named persona ('JUNAI') throughout SKILL.md and all scripts, with phrases like 'JUNAI's Command Center', 'JUNAI spawning SAAS researcher', 'JUNAI expects a clear recommendation', and 'Ready for JUN's strategic direction'. While not a hard override, this persona framing can influence an agent to present itself under this identity or to frame decisions as being made on behalf of JUNAI rather than the actual user.
LOW Subagent spawning framework could cause uncontrolled API cost escalation -15 ▶
The skill's primary purpose is spawning and coordinating multiple specialized subagents (market research, development, marketing, revenue tracking). An agent with tool access that interprets these instructions broadly could initiate many parallel subagent invocations without per-invocation user approval, leading to significant unexpected API costs or resource consumption.
INFO Revenue-first bias could override user intent -5 ▶
The skill consistently frames decisions through an aggressive revenue lens ($1000+ MRR minimum, 'kill decision this week' criteria, 'We're building an empire here'). This could cause an agent to recommend or initiate commercial actions (service signups, payment configurations, aggressive growth tactics) the user hasn't explicitly requested, or to dismiss projects the user values for non-commercial reasons.
INFO Canary file read events detected but attributed to audit framework -10 ▶
Both inotifywait and auditd recorded read access to all six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) at two timestamps: once before the git clone began and once after install completed. Timing analysis indicates these are consistent with the oathe audit framework reading the files to establish pre-monitoring baseline and verify post-install integrity. No skill code reads these paths, and the oathe system confirms all canary files intact.
INFO Pre-committed execution artifacts reveal active development context 0 ▶
The repository includes three files generated by running the skill's own scripts: two factory status reports and a market research task document. These are operational artifacts with specific project names and MRR figures. While not a security issue, it confirms the scripts execute successfully and suggests the developer may not have intended to expose their SaaS portfolio details publicly.