Back to skill
Skillv1.0.0
ClawScan security
AIsa Financial Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:59 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential (AISA_API_KEY) are consistent with a market-data client that queries api.aisa.one; there are no obvious mismatches or hidden exfiltration paths.
- Guidance
- This skill appears to be a straightforward client for the AIsa market-data API and only needs one API key. Before installing: (1) verify you trust the service at api.aisa.one / the AIsa provider (billing, privacy, and data-retention implications of the key), (2) treat AISA_API_KEY as sensitive — avoid sharing it and rotate it if exposed, (3) check rate limits and billing tied to the key to avoid unexpected charges, and (4) if you need higher assurance, review the full included script locally (scripts/market_client.py) or run it in a sandbox to confirm behavior. Confidence in this assessment is high based on the provided files and instructions; if the publisher identity or hosting for api.aisa.one is unclear, consider verifying the provider before granting the key to agents.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md examples, README, and the included Python client all align: this is a market-data client. Required binaries (curl, python3) and a single API key are appropriate for the stated purpose.
- Instruction Scope
- okRuntime instructions tell the agent to call AIsa endpoints using the API key; they do not direct reading unrelated files, other environment variables, or transmission to third-party endpoints outside api.aisa.one. The SKILL.md examples are specific and scoped to finance data retrieval.
- Install Mechanism
- okNo install spec is present (instruction-only plus a client script). That minimizes disk-write/installation risk; the included script is a straightforward HTTP client with no archive downloads or executor steps.
- Credentials
- okOnly a single credential (AISA_API_KEY) is required and is the primaryEnv. That is proportional to a service that calls an external market-data API; no unrelated secret or config paths are requested.
- Persistence & Privilege
- okThe skill is not forced-always (always: false) and uses the normal model-invocation defaults. It does not request or modify other skills' configs or system-wide settings.