Verified Research Engine (Web + Academic + Confidence Score)
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a normal external research/search integration, with the main cautions being API-key use and sending prompts to third-party search and answer services.
This skill looks coherent for web and academic research. Before installing, make sure you trust the AIsa/OpenClaw service with your queries, use a dedicated revocable API key, watch for quota or billing from deep-research calls, and avoid sending secrets or confidential internal instructions through the search prompts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume API quota or billing and send the requested research query to the external service.
The skill documents direct remote API calls using curl and the user's bearer token. This is central to the search purpose and is disclosed, but it means invocations can make network requests under the user's API account.
curl -X POST "https://api.aisa.one/apis/v1/perplexity/sonar" ... -H "Authorization: Bearer $AISA_API_KEY"
Use it for intended research tasks, and keep human review for expensive or broad deep-research requests.
Queries made through the skill can act under your AIsa API key and may affect your account quota, billing, or logs.
The client reads AISA_API_KEY from the environment and sends it as bearer authentication to AIsa. This is expected for the service, but it grants the skill delegated API access.
self.api_key = api_key or os.environ.get("AISA_API_KEY") ... "Authorization": f"Bearer {self.api_key}"Use a dedicated, revocable API key with the least scope available, avoid hard-coding it, and revoke it if you stop using the skill.
It is harder to independently verify maintainership, review history, or future changes.
The registry metadata does not identify a source repository or upstream package. This is a provenance gap, though the provided artifacts do not show a remote installer or hidden dependency.
Source: unknown
Prefer a verifiable source when available, and review the bundled script and version before installing or updating.
External services may receive the contents of your prompts, research questions, URLs, and optional system instructions.
The script sends user queries and optional system instructions to an external API endpoint. This is disclosed and purpose-aligned, but it is a provider data flow users should understand.
BASE_URL = "https://api.aisa.one/apis/v1" ... messages.append({"role": "system", "content": system}) ... messages.append({"role": "user", "content": query})Do not include secrets, private documents, internal system prompts, or sensitive business data in queries unless you are comfortable sharing them with the provider.