Unified LLM Gateway - One API for 70+ AI models. Route to GPT, Claude, Gemini, Qwen, Deepseek, Grok and more
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward LLM gateway, but users should know their AIsa API key and submitted prompts or images are sent to api.aisa.one.
This skill looks coherent for its stated purpose. Before installing, confirm you trust the AIsa/OpenClaw gateway, use a limited API key, and avoid sending sensitive prompts or images unless you are comfortable with the provider's data handling and billing terms.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less assurance about who maintains the gateway integration before trusting it with an API key.
The publisher/source provenance is not identified. This matters because the skill uses a credentialed external API, although the artifacts do not show a remote installer, hidden dependency, or unreviewed auto-execution path.
Source: unknown
Verify the skill publisher and AIsa/OpenClaw relationship before adding a real API key, especially for paid or sensitive workloads.
Requests made through the skill may consume account quota or incur costs under the configured AIsa key.
The helper reads an AIsa API key from the environment and sends it as a bearer token. This is expected for the stated LLM gateway purpose, but it grants access to the user's AIsa account and quota.
self.api_key = api_key or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {self.api_key}"Use a dedicated, revocable API key with appropriate limits, and avoid exposing the key in prompts, logs, or shared shell history.
Prompts, message history supplied to the call, and image URLs or image data may be processed outside the local environment by the gateway and routed model providers.
The client sends chat payloads, and for vision requests image URLs plus prompts, to the external AIsa gateway. This is central to the skill's purpose, but it creates a third-party data boundary.
BASE_URL = "https://api.aisa.one/v1" ... return self._request("POST", "/chat/completions", data=payload, stream=stream)Do not send secrets, private documents, or regulated data unless AIsa's privacy, retention, and routing policies meet your needs; give the agent clear limits on what content may be sent.