Media Gen
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: media-gen-aisa-api Version: 1.0.0 The media-gen skill is a legitimate tool for interacting with the AIsa API (aisa.one) to generate images and videos. The bundled Python script (scripts/media_gen_client.py) uses standard libraries to perform API requests and handle file downloads, with no evidence of data exfiltration, unauthorized execution, or persistence mechanisms. The SKILL.md instructions are well-documented and align strictly with the stated purpose of providing a unified interface for various AI models like Gemini, Wan, and Seedream.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is exposed or misused, someone could potentially use the user's AIsa account or quota.
The client reads the AIsa API key and sends it as a bearer token to AIsa API requests. This is expected for the service, but the key can authorize account usage.
api_key = explicit or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated AIsa key with appropriate limits if available, keep it in environment/secret storage, and avoid passing it directly on shared command lines.
Using the skill may send prompts or reference image URLs to AIsa, consume API quota, and create or overwrite output files chosen by the agent/user.
The client makes remote AIsa API calls and can download generated media to a local file. These actions are central to media generation, but they involve network use and local file writes.
POST https://api.aisa.one/apis/v1/services/aigc/video-generation/video-synthesis ... with urllib.request.urlopen(req, timeout=timeout_s) as resp, open(out_path, "wb") as f:
Review prompts and image URLs before sending sensitive content, and choose output paths carefully to avoid overwriting important files.
The visible portions look purpose-aligned and the static scan is clean, but this review cannot independently confirm every line of the script from the provided text.
The supplied review artifact marks the script content as truncated, so not every line of the bundled client was visible in the prompt.
"truncated": true
Before installing in a sensitive environment, review the full script from the package/source repository.