Skillv1.0.0

ClawScan security

AI Media Generation En · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 11, 2026, 9:36 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required environment variable (AISA_API_KEY) are consistent with its stated purpose of driving the AIsa image/video APIs; there are no disproportionate permissions, installs, or hidden behaviors in the provided files.
Guidance: This skill appears coherent and implements what it claims, but consider the following before installing: 1) You will be sending whatever key you provide (AISA_API_KEY) to api.aisa.one — only use an API key you trust to be used with this third party and avoid reusing high-privilege or long-lived credentials. 2) The client will download media (including potentially large video files) to local disk when you use the video-download options — ensure you trust the returned URLs and have disk space. 3) Review the AIsa service's privacy/terms and pricing (the SKILL.md advertises third-party "contract" pricing); this is a trust decision outside the code. 4) If you have any doubt about the source, run the included Python script in an isolated environment (container) and inspect network traffic or use a throwaway API key.

Purpose & Capability: okName/description, required binaries (python3 and curl) and the single required env var (AISA_API_KEY) match the implementation: the Python client and curl examples call the AIsa endpoints. (Minor note: curl is used only in SKILL.md examples; the shipped client uses python3.)
Instruction Scope: okSKILL.md instructs the agent to call documented AIsa endpoints, export the AISA_API_KEY, create/poll video tasks, and save returned media. The included Python client only uses the declared env var and network calls to api.aisa.one; it does not access other local files or unrelated environment variables. It will download media URLs returned by the API to disk when requested (expected behavior for a media client).
Install Mechanism: okNo install spec is present (instruction-only with a bundled Python script). This is low-risk: nothing is downloaded/installed automatically by the skill beyond running the provided script.
Credentials: okOnly AISA_API_KEY is required (primaryEnv). The code accepts an explicit --api-key override and otherwise reads only AISA_API_KEY from the environment. No other credentials or unrelated secrets are requested.
Persistence & Privilege: okThe skill does not request always:true or any elevated platform presence and does not modify other skills or system settings. It runs on-demand using the provided client and network calls.