Chinese LLM Models (Kimi 2.5, MiniMax 2.5, Qwen, DeepSeek) with One Key
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is exposed, someone else could use the account or consume paid quota.
The skill requires an AIsa API key and shows a command-line option that can include the key directly. This is expected for the provider setup, but API keys are sensitive credentials.
requires:\n env:\n - AISA_API_KEY ... openclaw onboard --auth-choice aisa-api-key --aisa-api-key "your-key-here"
Prefer the interactive onboarding flow or a secure environment/secret manager. Avoid pasting real keys into shared terminals, logs, or shell history, and rotate the key if exposed.
Prompts, completions, and any data included in model requests may be processed by AIsa and its upstream model partners.
The configuration sends model requests through AIsa’s external API endpoint. This is the stated purpose of the skill, but it establishes a third-party data boundary for prompts and outputs.
"baseUrl": "https://api.aisa.one/v1", "apiKey": "${AISA_API_KEY}"Use only if you trust the provider and its terms. Do not send sensitive, regulated, or confidential data until you have verified retention, logging, and data-processing policies.
Future OpenClaw sessions may use AIsa by default, which can affect cost, latency, privacy, and model behavior.
The examples can make AIsa the primary or fallback model provider in persistent OpenClaw configuration. This is user-directed and purpose-aligned, but affects future agent behavior.
"primary": "aisa/qwen3-max", "fallback": ["aisa/qwen-mt-flash", "aisa/deepseek-v3.1"]
Review ~/.openclaw/openclaw.json after setup and confirm the primary and fallback models match your intended provider choices.
Users may over-rely on marketing-style privacy assurances when deciding whether to send sensitive prompts through the provider.
The artifact makes strong privacy and Zero Data Retention claims. They may be true, but the supplied artifacts do not include the underlying agreement or a full data-retention policy.
Users do not need to worry about data privacy — AIsa has executed a formal ZDR agreement with Moonshot AI.
Independently verify AIsa’s current privacy policy, ZDR scope, upstream provider handling, and whether AIsa itself logs or retains requests.
Users must rely on the marketplace listing and provider website for authenticity and claims about partnerships, pricing, and privacy.
The registry metadata does not identify a source repository or independently verifiable package origin. There is no executable code in this skill, so this is a provenance note rather than a code-supply-chain concern.
Source: unknown; Homepage: https://marketplace.aisa.one
Verify the provider and marketplace page before configuring a real API key or making it a default provider.