Back to plugin
Pluginv0.1.0
ClawScan security
AIsa Provider · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 29, 2026, 10:07 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This plugin's code, instructions, and required credential (AISA_API_KEY) align with its stated purpose of registering an AIsa provider for OpenClaw; nothing in the files indicates unexplained access or exfiltration.
- Guidance
- This package appears internally consistent for adding an AIsa provider: it only needs your AISA_API_KEY and registers model metadata and onboarding hooks. Before installing, confirm you trust the AIsa endpoint (https://api.aisa.one) and that the API key's permissions are appropriate. Note the registry metadata in the submission omitted the required env var — verify the listed source/origin (author or ClawHub listing) if you need provenance assurance. Rotate or scope the API key if possible and review the small code bundle (it’s brief and readable) if you want additional confidence.
Review Dimensions
- Purpose & Capability
- okThe package registers an 'aisa' provider, exposes an OpenAI-compatible gateway, lists AIsa model refs, and asks for an AISA_API_KEY — all consistent with a provider plugin for the AIsa gateway.
- Instruction Scope
- okSKILL.md and code only instruct installation of the plugin, restarting the gateway, and providing an AISA_API_KEY (or using onboarding). The runtime code registers provider metadata and catalog entries; it does not read unrelated files, access other credentials, or direct data to unexpected endpoints.
- Install Mechanism
- okNo install spec or external downloads are present. The package is source-only (TypeScript files and manifest) and relies on the OpenClaw plugin SDK — nothing writes or downloads arbitrary code from untrusted URLs.
- Credentials
- noteThe plugin reasonably requires a single provider API key (AISA_API_KEY). One minor inconsistency: the top-level registry metadata in the submission listed 'Required env vars: none' while the plugin and SKILL.md clearly reference AISA_API_KEY; this appears to be a metadata omission rather than malicious behavior.
- Persistence & Privilege
- okThe plugin does not request 'always: true' or other elevated persistent privileges. It registers itself as a normal provider and uses OpenClaw onboarding hooks only for its own config.