aisa-provider

[Skill Scanner] Backtick command substitution detected This skill file is documentation/config for integrating a third-party model gateway (AIsa) into OpenClaw. It is internally consistent: the listed capability (proxying Chinese models) matches the required credential (AISA_API_KEY) and the network endpoints referenced. There is no code in this fragment that exfiltrates local files or executes system commands. The main risk is privacy/trust: using AIsa routes sensitive prompts and outputs through a commercial intermediary rather than direct vendor APIs, and the file includes a strong 'Zero Data Retention' claim that must be validated with contractual evidence before sending sensitive data. Recommended actions: validate AIsa's ZDR/legal claims, review vendor privacy policy and contractual terms, and restrict which agents or configs may use this provider for sensitive workloads. Overall, I find no direct malicious code here, but a moderate supply-chain privacy/trust risk due to centralized routing of data to a third party. LLM verification: SUSPICIOUS — The skill is a provider integration that routes API keys and all prompts through a third-party gateway (api.aisa.one) rather than direct vendor endpoints. That design is consistent with a gateway product but creates a high-risk trust boundary: credentials and prompt data would be visible to the gateway operator. The skill also asserts strong privacy guarantees (Zero Data Retention) and discounted pricing without verifiable evidence in the skill. There is no evidence of active malwar

[Skill Scanner] Backtick command substitution detected BENIGN. The code fragment outlines a coherent, legitimate OpenClaw skill for integrating AIsa as a provider, with properly scoped credential handling (AISA_API_KEY via environment/config), documented onboarding flows, and standard API interactions. There is no indication of malicious data flows or over-privileged access beyond what is necessary to configure and use the provider. Data flows are consistent with interacting with the provider’s API for models and pricing, and credentials are limited to API key usage for authentication. LLM verification: This skill is a provider integration that directs OpenClaw to send API keys and user requests to a third-party gateway (https://api.aisa.one). There is no direct evidence of code-level malware or obfuscated backdoors in the provided documentation. The primary security concern is that all prompts, completions, and the API key are routed through the AIsa gateway — this elevates the trust required in the gateway operator. Claims of 'Zero Data Retention' and contract terms should be independently ve