Back to plugin
Pluginv1.0.1
ClawScan security
Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 8:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The package is internally consistent: it requires python3 and a single AISA_API_KEY and contains a local Python client that calls https://api.aisa.one — the requested permissions and instructions match the stated search/research purpose.
- Guidance
- This skill is coherent with its stated purpose, but installing it gives the skill your AISA_API_KEY and will send user queries (and any optional system instruction strings) to https://api.aisa.one. Before installing: verify you trust Aisa (review their privacy/data-retention policy), avoid sending secrets or PII in queries, consider using a scoped or rate-limited API key, and monitor API usage after enabling the skill. If you need offline searches or want to avoid relaying data to a third party, do not install this skill.
Review Dimensions
- Purpose & Capability
- okName/description, manifests, SKILL.md, and the Python client all consistently describe a search/research client that uses AISA_API_KEY to call api.aisa.one. The requested binary (python3) and env var (AISA_API_KEY) are expected and proportional to the stated functionality.
- Instruction Scope
- noteRuntime instructions and examples show curl and a python client that POSTs queries (including optional system instructions) to AIsa Perplexity/Tavily/Scholar endpoints. This is within scope for a search skill, but it does mean user queries (and any system prompt text) will be transmitted to api.aisa.one — do not include sensitive credentials or private data in queries.
- Install Mechanism
- okNo remote install spec or arbitrary downloads are present; the package is instruction-first with repo-local scripts (search_client.py). No third‑party install URLs, extract steps, or unexpected binaries were found.
- Credentials
- okOnly AISA_API_KEY is declared/used as a required environment variable (and is referenced in code). No unrelated secrets, extra credentials, or unexpected config paths are requested.
- Persistence & Privilege
- okalways is false and the package does not request persistent system-level privileges or modify other skills. It is a normal user-invocable skill and must be granted AISA_API_KEY to operate.