Back to skill
Skillv1.0.0
ClawScan security
Chines LLM Models (MiniMax 2.5,Kimi 2.5, Qwen, Doubao, DeepSeek) with one key · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 6:34 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose: it configures an external provider (AIsa) and only requests a single provider API key; there are no unexpected binaries, installs, or unrelated credentials requested.
- Guidance
- This skill will route prompts and data to AIsa (api.aisa.one) using the AISA_API_KEY you provide — that's expected for a provider integration. Before installing: (1) verify the vendor domain and TLS (https://marketplace.aisa.one) and that the AIsa offering meets your compliance needs; (2) confirm the ZDR/enterprise contract claims with AIsa or Moonshot if you plan to send sensitive data; (3) use a scoped or billing-limited API key where possible, monitor usage and billing alerts, and rotate keys if you stop using the provider; (4) avoid sending highly sensitive PII to third-party APIs unless contractual protections are in place.
Review Dimensions
- Purpose & Capability
- okName/description (AIsa provider for Chinese models) matches the declared requirement (AISA_API_KEY) and the runtime instructions which show how to register AIsa models in OpenClaw. Required items are proportional to the stated goal.
- Instruction Scope
- noteSKILL.md is instruction-only and confines actions to setting AISA_API_KEY, using OpenClaw onboarding commands, editing OpenClaw config, and calling api.aisa.one. This is expected for a provider integration. Note: the skill's operation entails sending user prompts/data to an external service (marketplace.aisa.one / api.aisa.one); the document additionally asserts enterprise 'Zero Data Retention' agreements (ZDR) for Kimi which are claims you should verify with the vendor.
- Install Mechanism
- okNo install spec or code is provided (instruction-only), so nothing is written to disk or downloaded by the skill itself. This is the lowest-risk install profile.
- Credentials
- okOnly a single environment variable (AISA_API_KEY) / primary credential is required, which is appropriate for an external API provider. There are no unrelated secrets, config paths, or broad permissions requested.
- Persistence & Privilege
- okalways is false and there is no install or self-modifying behavior. The skill does not request persistent platform privileges beyond normal API-key usage.