Back to skill
Skillv1.1.0
ClawScan security
Media Gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 5:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its stated purpose (media generation via the AIsa API); it asks only for an AISA_API_KEY and uses python3 to call api.aisa.one and save downloaded media.
- Guidance
- This skill appears coherent: it uses your AISA_API_KEY to call api.aisa.one and may download generated media to local files. Before installing, confirm you trust the AIsa service and that the API key you provide has the desired scope/limits. Because the package source/homepage is unspecified, consider reviewing the full scripts (scripts/media_gen_client.py) yourself or using a limited API key, and be aware that generated outputs and any URLs returned by the service will be fetched and saved to disk. Autonomy is allowed by default (the agent can invoke skills), so only enable the skill for agents you trust to act on your behalf.
Review Dimensions
- Purpose & Capability
- okName/description describe image/video generation and the package includes a Python client that calls https://api.aisa.one endpoints. Requested binary (python3) and required env var (AISA_API_KEY) are expected and proportional to the stated purpose.
- Instruction Scope
- okSKILL.md instructs using the bundled script (python3 scripts/media_gen_client.py) and to provide AISA_API_KEY; the code performs HTTP calls to the AIsa API and saves returned media to disk or downloads signed URLs. The instructions do not ask the agent to read unrelated local files or other credentials.
- Install Mechanism
- okNo install spec (instruction-only) and a bundled Python script are provided. Nothing is downloaded or installed at skill-install time by the skill itself.
- Credentials
- okOnly AISA_API_KEY is required and marked as the primary credential, which matches the script's use of a single API key to authenticate requests to api.aisa.one.
- Persistence & Privilege
- okalways:false and user-invocable:true. The skill does not request persistent elevated privileges or to modify other skills or system-wide settings.