Back to skill
Skillv1.0.1
ClawScan security
Unified API for powerful image and video generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 6:06 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested environment access line up with its stated purpose (generating images and videos via the AIsa API using a single AISA_API_KEY).
- Guidance
- This skill appears internally consistent, but before installing consider: (1) You must trust the external AIsa service because your AISA_API_KEY and requests will be sent to api.aisa.one; keys may be billed or grant broad access—do not reuse sensitive keys. (2) The client will download generated media and any user-supplied image URLs to local disk—avoid passing untrusted URLs and run the tool in an environment where large downloads and file writes are acceptable. (3) Examples use curl while the client is Python-based; curl is not harmful but is only needed for example CLI snippets. (4) Review the provided scripts if you have stricter security requirements, and consider running them in an isolated container or VM if you want to limit network/file-system exposure.
Review Dimensions
- Purpose & Capability
- okName/description ask for one API key for AIsa image/video generation; the skill requires AISA_API_KEY and binaries python3 and curl, and the included Python client calls only api.aisa.one endpoints. All requested capabilities are consistent with generating media from AIsa.
- Instruction Scope
- okSKILL.md describes calling AIsa endpoints, creating/polling async video tasks, extracting inline image data, and saving files locally. Instructions do not ask the agent to read unrelated files, other credentials, or exfiltrate data to unexpected endpoints; all network calls target api.aisa.one or user-supplied media URLs.
- Install Mechanism
- okNo install spec (instruction-only plus an included Python script). That is low-risk; nothing is fetched from arbitrary third-party URLs during install. The provided Python script uses only the stdlib (urllib) and writes outputs to local files.
- Credentials
- okOnly AISA_API_KEY is declared and used (also exposed via an optional --api-key flag). This is proportionate for a client that authenticates to AIsa. No unrelated secrets or configuration paths are requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated platform privileges. It writes downloaded media to local files (expected behavior) but does not attempt to modify other skills or global agent configs.