Back to plugin

Security audit

AIsa Twitter

Security checks across malware telemetry and agentic risk

Overview

The package appears to do what it claims — a Python-based AIsa-backed Twitter/X client requiring an AISA_API_KEY — with no unexpected credential requests or arbitrary downloads, though there are minor metadata inconsistencies to note.

This plugin is internally consistent with a Twitter/X client backed by AIsa and requires an AISA_API_KEY (the plugin manifest enforces it). Before installing: 1) Confirm you trust the AIsa service (api.aisa.one) because your AISA_API_KEY will be sent there in requests. 2) Treat the AISA_API_KEY like any API secret — use a scoped key and rotate/revoke it if needed. 3) The code can open a browser for OAuth approval and will upload local workspace media files to the relay; avoid placing sensitive files in the workspace. 4) Note the small metadata mismatch: the packaging metadata you were shown earlier claimed no required env vars while the shipped SKILL.md and openclaw.plugin.json require AISA_API_KEY — verify that your agent runtime will supply that config. 5) If you need higher assurance, inspect the repo source for api.aisa.one behavior or run the scripts in an isolated environment before granting production credentials.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.