Back to plugin

Security audit

Openclaw Airapi Provider

Security checks across malware telemetry and agentic risk

Overview

The plugin is internally coherent: it registers an AirAPI provider, uses per-model runtime endpoints, and only requires an AirAPI API key — there are no unexpected install steps, unrelated credentials, or hidden endpoints in the source.

This plugin appears to do what it says: it will ask for your AirAPI API key (AIRAPI_API_KEY) and register two Qwen models using per-model endpoints at ap-1.aieev.cloud. Before installing: (1) confirm you trust the AirAPI account and the ap-1.aieev.cloud domain where inference calls will go, (2) be aware onboarding will add model entries into your OpenClaw agent config (~/.openclaw/openclaw.json), and (3) note the registry metadata summary omitted the env var even though the code and SKILL.md require AIRAPI_API_KEY — review the source (index.ts) if you want to verify behavior locally. If you are cautious, install from the source repo and inspect the index.ts file (which is small and readable) before trusting your API key.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.