Security audit
Tavily Extract
Security checks across malware telemetry and agentic risk
Overview
The package is internally coherent for a research/search skill: it calls the AIsa API and requires an AISA_API_KEY; nothing in the files indicates hidden exfiltration or unrelated privileges.
This skill legitimately needs an AISA_API_KEY because it calls AIsa APIs at https://api.aisa.one. Before installing: (1) Expect network traffic and that queries/results are sent to aisa.one; review Aisa's privacy/terms and do not send sensitive secrets or private data. (2) Provide only a scoped API key (if available) and avoid pasting long-lived org-wide secrets. (3) Note the registry metadata you saw earlier incorrectly listed no required env — trust the packaged manifest (openclaw.plugin.json and SKILL.md) which do require AISA_API_KEY. (4) If you need extra assurance, inspect the running CLI and monitor outbound requests or run it in a sandboxed environment first.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
