One API key for Chinese AI models. Route to Qwen, Deepseek
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Chinese LLM gateway client, but using it sends prompts and an AISA API key to the external AIsa service.
This skill looks purpose-aligned for accessing Qwen, DeepSeek, and related models through AIsa. Before using it, verify that api.aisa.one is the service you intend to use, set a dedicated AISA_API_KEY if available, monitor usage/costs, and avoid sending confidential data unless you accept the provider's data handling terms.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything using this skill with your environment key may be able to consume your AIsa API quota or access the service under your account.
The client reads an AISA API key from the environment and uses it to authenticate API calls. This is expected for the stated service, but it grants access to the user's AIsa account/quota.
self.api_key = api_key or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {self.api_key}"Use a dedicated API key if possible, monitor usage, rotate the key if exposed, and avoid placing the key in shared logs or prompts.
Prompts, documents, code snippets, or other text sent through the skill may be processed by the external gateway and downstream model providers.
User messages are packaged into API requests and sent to the external AIsa gateway. This is central to the skill's purpose, but it is a data boundary users should understand.
BASE_URL = "https://api.aisa.one/v1" ... payload = { "model": model, "messages": messages, "stream": stream }Do not send secrets, regulated data, or sensitive private content unless you trust the provider's data handling and retention policies.
It may be harder to verify who maintains the client or whether future versions match the reviewed behavior.
The registry does not identify the source repository or provenance. The included artifacts do not show a remote installer or hidden dependency, so this is a provenance note rather than a security concern.
Source: unknown
Check the publisher, homepage, and API provider before installing, especially because the skill handles an API key and sends prompts to an external service.