Images & videos generation with Gemini 3 Pro Image + Qwen Wan 2.6 (video) via one API key

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a coherent media-generation skill, but it uses an AIsa API key, sends prompts and image URLs to an external service, and writes generated files locally.

This skill looks reasonable for generating images and videos through AIsa. Before using it, make sure you are comfortable sending prompts and reference image URLs to AIsa, protect your AISA_API_KEY, and save outputs only to paths where overwriting files would not matter.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone who obtains the key may be able to use the associated AIsa account or quota.

Why it was flagged

The client reads the AIsa API key and sends it as a bearer token to the AIsa API. This is expected for the service, but it is still a credential with account/API usage authority.

Skill content

api_key = explicit or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {api_key}"

Recommendation

Use a scoped or revocable AIsa key if available, prefer the environment variable over putting the key in chat or command history, and rotate the key if exposed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Prompts, reference image URLs, and generated media metadata may be processed by the external provider.

Why it was flagged

The video generation request sends the user's prompt and reference image URL to the external AIsa API. This is purpose-aligned, but it crosses a data boundary.

Skill content

"prompt": prompt, "img_url": img_url

Recommendation

Avoid submitting private, confidential, or regulated content unless you trust AIsa's handling of that data and its downstream model providers.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Generated media files will be written to the local filesystem at the selected output path.

Why it was flagged

The client writes generated images to a local output path, and the video download path similarly saves files locally. This is expected for a media generation tool, but it can overwrite files if the chosen path is unsafe.

Skill content

out_path = args.out or _safe_filename(ext)
with open(out_path, "wb") as f:
    f.write(data)

Recommendation

Choose output paths in a working folder, avoid protected or important filenames, and confirm before overwriting existing files.