Media Gen
PassAudited by ClawScan on May 8, 2026.
Overview
This appears to be a coherent AIsa media-generation skill that uses an API key and network calls as expected, with no evidence of malicious behavior in the visible artifacts.
Install only if you are comfortable sending media-generation prompts and any reference image URLs to AIsa and using an AISA_API_KEY. Store the key securely, monitor usage/quota, and review the full bundled Python script if deploying in a sensitive environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is exposed or misused, someone could potentially use the user's AIsa account or quota.
The client reads the AIsa API key and sends it as a bearer token to AIsa API requests. This is expected for the service, but the key can authorize account usage.
api_key = explicit or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated AIsa key with appropriate limits if available, keep it in environment/secret storage, and avoid passing it directly on shared command lines.
Using the skill may send prompts or reference image URLs to AIsa, consume API quota, and create or overwrite output files chosen by the agent/user.
The client makes remote AIsa API calls and can download generated media to a local file. These actions are central to media generation, but they involve network use and local file writes.
POST https://api.aisa.one/apis/v1/services/aigc/video-generation/video-synthesis ... with urllib.request.urlopen(req, timeout=timeout_s) as resp, open(out_path, "wb") as f:
Review prompts and image URLs before sending sensitive content, and choose output paths carefully to avoid overwriting important files.
The visible portions look purpose-aligned and the static scan is clean, but this review cannot independently confirm every line of the script from the provided text.
The supplied review artifact marks the script content as truncated, so not every line of the bundled client was visible in the prompt.
"truncated": true
Before installing in a sensitive environment, review the full script from the package/source repository.