Back to plugin

Security audit

Stock Hot

Security checks across malware telemetry and agentic risk

Overview

The package is internally consistent with its stated purpose (a wrapper that calls the AIsa API to produce market research), but there are a few small mismatches (undeclared environment variables and an uninstalled Python dependency) you should be aware of before installing.

This package appears to do what it says: it runs a Python script that sends prompts to the AIsa API to produce a 'hot scanner' market report. Before installing, consider: (1) Only provide a trusted AISA_API_KEY — this key is sent to the AIsa endpoint. (2) The script accepts AISA_BASE_URL (not declared in the manifest) — avoid setting that to an untrusted URL because it would redirect where your key and requests go. (3) Install the Python dependency (openai) from a trusted source (e.g., pip) so the script runs as intended. (4) Understand that the script relies on the AIsa model/tooling to 'fetch live data' (the skill itself does not directly scrape Yahoo/CoinGecko); verify you trust the AIsa service for live data. If you need higher assurance, request the publisher to declare AISA_BASE_URL and AISA_MODEL in the manifest and to include an explicit dependency/install step for the Python SDK.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.