AIsa Media Gen
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated images or videos may be billed to or counted against the AIsa account tied to the key.
The helper reads the AIsa API key and uses it as a bearer credential for provider requests, which is expected for this integration but gives the skill access to the user's AIsa account quota.
api_key = explicit or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated or restricted AIsa key if available, prefer the environment variable over passing keys on the command line, and monitor provider usage.
Prompt text and any reference image URL you provide will be sent to the external provider and could expose private or signed URLs.
The client sends user prompts and reference image URLs to external AIsa API endpoints; this is disclosed and aligned with the media-generation purpose.
GEMINI_BASE_URL = "https://api.aisa.one/v1" ... "prompt": prompt, "img_url": img_url
Do not submit confidential prompts, private reference images, or signed URLs unless you are comfortable sending them to AIsa.
If invoked with an unsafe output path, it can write generated media to local storage and may overwrite an existing file.
The optional video download flow writes provider-returned media content to a local file; this is purpose-aligned and user-directed, but it can create or overwrite files at the selected output path.
with urllib.request.urlopen(req, timeout=timeout_s) as resp, open(out_path, "wb") as f: ... f.write(chunk)
Use explicit, non-sensitive output paths and review before enabling downloads.
You must trust the packaged script and registry publisher rather than a verifiable upstream source.
The registry metadata does not identify a source repository or provenance for the skill, even though a runnable helper script is included.
Source: unknown
Install only if you trust the publisher, and review the included helper script when provenance matters.