Is mirabarukaso/saa-agent safe?

SKILL.md explicitly instructs the agent to 'execute the command directly without asking for confirmation' by default. While the skill provides conditions under which to show the command first, making silent execution the default lowers the agent's natural caution threshold for shell command invocation. This is an attempt by skill content to shape agent behavior toward reduced oversight — a soft but real prompt-injection pattern.

saa-agent.py disables both hostname verification and peer certificate validation for WSS connections. This is applied in the HTTP login() method (which POSTs credentials) and in the WebSocket connect() method. An attacker with MITM capability on the network path — e.g., on the same LAN as the user's SAA backend — can silently intercept authentication credentials and all WebSocket traffic without triggering any error.

The --username and --password parameters are passed as plaintext command-line arguments. On Linux, command-line arguments of running processes are readable via /proc/PID/cmdline by any process sharing the same user. This means other processes running as the same user (or root) can read the SAA backend credentials without any privilege escalation.

The --output parameter accepts an arbitrary filesystem path. The ProgressCallback writes binary-decoded image data directly to this path without any sanitization, restriction to a working directory, or path traversal prevention. If an LLM agent is prompted to generate an image and a malicious actor influences the output path parameter, files can be written to sensitive locations accessible to the running user.

SKILL.md instructs agents never to auto-retry on backend busy errors, but the Error Handling section separately says 'consider one retry with --verbose to capture diagnostic information' for general failures. These two policies conflict and create ambiguity about when retry is acceptable. A confused agent might retry busy-state errors, worsening backend congestion or submitting duplicate generation requests.

The combination of disabled SSL verification and plaintext credentials sent over the 'encrypted' WSS connection creates a practical credential theft scenario. An attacker in a position to intercept traffic (e.g., same network segment, compromised router, or DNS poisoning) can silently harvest SAA backend credentials. The user receives no warning because SSL errors are suppressed by design.

The --skeleton-key parameter forcefully terminates remote backend atomic locks, potentially disrupting concurrent legitimate generation operations by other users sharing the same SAA instance. SKILL.md requires explicit user confirmation before use, which appropriately gates this capability, but the feature remains a privileged disruption tool that could cause data loss or corruption on the remote backend.

The --base64 flag dumps the entire generated image as base64 to stdout with explicit delimiters. This is documented and intentional for programmatic use. However, if the WebSocket backend were attacker-controlled, it could return arbitrary base64-encoded data (not just PNG image data) through this channel, potentially smuggling exfiltrated content through an apparent image generation workflow.

The install process made outbound HTTPS connections to github.com (140.82.121.3:443) to perform the git sparse-checkout of the skill from the openclaw/skills monorepo. This is the expected, legitimate installation mechanism. No other unexpected outbound connections were observed, and the connection diff shows no new persistent listeners or established connections after install.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were opened and read at audit timestamps 1771923310 (before git clone at 1771923315) and 1771923327 (post-install final check). Both access windows are attributable to the Oathe audit framework's baseline and post-install checks, not any code from the skill itself. All files were opened CLOSE_NOWRITE and the integrity check confirms no modification.