Generate images & videos with: Gemini 3 Pro Image (image) + Qwen Wan 2.6 (video) via one API key
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-aisa-image-video-models-wan2-6-gemini-3-pro-image-nano-banana Version: 1.0.0 The skill is designed to generate images and videos using the AIsa API. The `SKILL.md` and `README.md` provide clear instructions and examples for this purpose. The Python script `scripts/media_gen_client.py` handles API calls to `https://api.aisa.one` using the `AISA_API_KEY` and saves generated media (images, videos) to local files. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent. All network communication is directed to the stated `aisa.one` domain, and file operations are limited to saving the generated output.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests made through the skill will use your AIsa account key and may consume quota or incur provider-side usage.
The client uses the user's AIsa API key as a bearer token for provider API calls. This is expected for the stated service, but it is still delegated account/billing authority.
api_key = explicit or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated, revocable API key with appropriate limits, and avoid putting unrelated secrets or sensitive private content in prompts.
The skill can create or overwrite local media output files when you run the documented commands.
The skill exposes user-directed local commands that can download generated media and write it to a specified output path. This is aligned with the purpose, but users should control output paths and downloads.
python3 {baseDir}/scripts/media_gen_client.py video-wait --task-id YOUR_TASK_ID --download --out out.mp4Use safe output filenames and confirm before downloading or overwriting important files.
You have less metadata-based assurance about who maintains the skill or where it originated.
The registry metadata does not identify a verified upstream source. This is a provenance notice rather than evidence of malicious behavior.
Source: unknown
Review the included script before using it with a real API key, and prefer a limited or revocable key.