Pluginv1.0.0

ClawScan security

Tavily Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 23, 2026, 11:30 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The package is internally consistent: it implements a Python CLI that calls AIsa's API and requires only an AISA_API_KEY, which matches the skill's stated search/retrieval purpose.
Guidance: This skill will send your queries (and any URLs you pass) to AIsa's API at api.aisa.one using the AISA_API_KEY you provide. Only install if you trust the AIsa service and are comfortable sending search queries and scraped content to that endpoint. Use a dedicated, limited-scope API key if possible, and monitor API usage/quotas. If you plan to search proprietary or sensitive documents, avoid sending them to third-party APIs or review the vendor's privacy/data-retention policies first.

Purpose & Capability: okName/description, manifests, and code consistently implement a search/retrieval skill. The openclaw.plugin.json and SKILL.md require AISA_API_KEY and python3, which the included Python client actually uses.
Instruction Scope: okRuntime instructions point to running the bundled Python CLI (scripts/search_client.py). The script only reads AISA_API_KEY from the environment and sends queries/URLs to api.aisa.one; it does not attempt to read unrelated system files, credentials, or hidden endpoints.
Install Mechanism: okNo install spec and no remote downloads are present. This is an instruction-only/native wrapper package with a small embedded Python client — low-risk from an install perspective.
Credentials: okOnly AISA_API_KEY is requested (declared as primaryEnv and required). The key is used as a Bearer token to authenticate requests to the AIsa API — proportionate to the skill's purpose.
Persistence & Privilege: okThe skill is not always-enabled, is user-invocable, and does not request elevated or persistent system privileges or try to modify other skills' configs.