Back to skill
Skillv1.0.0
ClawScan security
aisa financial data api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested binaries, environment variable, instructions, and included Python client align with its stated purpose of querying an AIsa financial API and do not contain obvious incoherent or malicious behavior.
- Guidance
- This skill appears coherent for accessing the AIsa financial API, but before installing: verify the legitimacy of the AIsa service and api.aisa.one (confirm billing, rate limits, and privacy policy), only provide an API key with the minimum necessary permissions, avoid using high-privilege or shared secrets, and rotate the key if you later uninstall the skill. Also confirm that using a client that posts data to api.aisa.one matches your expectations (the SKILL.md and code consistently target that domain). If you need stronger assurance, request provenance/ownership details from the publisher or test with a limited/test API key first.
Review Dimensions
- Purpose & Capability
- noteName/description match the code and SKILL.md: both target AIsa financial data at api.aisa.one and only require an AISA_API_KEY, curl, and python3. Minor note: the skill's listed homepage is openclaw.ai while the API hostname is api.aisa.one — not necessarily suspicious but worth verifying the provider and billing relationship before use.
- Instruction Scope
- okSKILL.md instructs only to set AISA_API_KEY and call the documented API endpoints (via curl) or use the provided Python client. The instructions do not request reading unrelated files, additional environment variables, or exfiltrating data to other endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only) and the single included Python client is self-contained; nothing is downloaded from untrusted URLs or written to disk by an installer.
- Credentials
- okOnly one credential (AISA_API_KEY) is required and used consistently by the Python client and curl examples. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings.