Security audit
AIsa Twitter
Security checks across malware telemetry and agentic risk
Overview
The package appears to do what it claims — a Python-based AIsa-backed Twitter/X client requiring an AISA_API_KEY — with no unexpected credential requests or arbitrary downloads, though there are minor metadata inconsistencies to note.
This plugin is internally consistent with a Twitter/X client backed by AIsa and requires an AISA_API_KEY (the plugin manifest enforces it). Before installing: 1) Confirm you trust the AIsa service (api.aisa.one) because your AISA_API_KEY will be sent there in requests. 2) Treat the AISA_API_KEY like any API secret — use a scoped key and rotate/revoke it if needed. 3) The code can open a browser for OAuth approval and will upload local workspace media files to the relay; avoid placing sensitive files in the workspace. 4) Note the small metadata mismatch: the packaging metadata you were shown earlier claimed no required env vars while the shipped SKILL.md and openclaw.plugin.json require AISA_API_KEY — verify that your agent runtime will supply that config. 5) If you need higher assurance, inspect the repo source for api.aisa.one behavior or run the scripts in an isolated environment before granting production credentials.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
