Is 0xjordansg-yolo/openclaw-aisa-chinese-llm-models safe?

https://github.com/openclaw/skills/tree/main/skills/0xjordansg-yolo/openclaw-aisa-chinese-llm-models

90
SAFE

This is a documentation-only skill that configures AIsa as an API provider for Chinese AI models (Qwen, DeepSeek, Kimi K2.5). It contains no executable code, no data exfiltration mechanisms, and caused no suspicious behavior during installation. The primary concerns are its heavily promotional content that biases agent recommendations, and the inherent trust placed in a third-party API gateway (api.aisa.one) through which all model traffic would be routed with unverifiable privacy guarantees.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Duplicate SKILL.md content doubles context consumption -5

The root SKILL.md contains the full skill content repeated twice with duplicate YAML frontmatter blocks. This doubles the context window consumed when the skill is loaded into the agent's system prompt. While this appears to be a packaging error rather than intentional injection, it wastes significant context budget (~8K+ tokens of redundant content).

LOW Heavily promotional content biases agent recommendations -10

The skill contains extensive pricing comparison tables, savings calculations, and marketing language ('saves $16,320-26,520/year', '~50% off retail') that will bias the agent toward recommending AIsa over competing providers. This is a form of soft influence injection — the agent becomes an advertising vehicle for AIsa when this skill is active.

LOW All API traffic routed through unverified third-party gateway -18

Installing this skill configures all model API calls to route through api.aisa.one. This third-party proxy sees every prompt and completion in plaintext (before/after TLS). The ZDR (Zero Data Retention) claims reference a 'Supplemental Enterprise Service Agreement dated 10 February 2026' that cannot be independently verified by users. Users trusting this skill's claims may send sensitive data through an intermediary with no auditable privacy guarantees.

LOW Default config silently changes primary model -5

The config examples set 'primary': 'aisa/qwen3-max' as the default agent model. Users installing this skill may not realize their default model is being changed from their current provider to a Chinese AI model routed through a third-party gateway.

INFO Curl commands expose API key in shell history -5

The skill suggests running curl commands with the API key in the Authorization header. While standard practice, this stores the key in shell history. This is an extremely minor concern and common across all API documentation.

INFO Clean installation with no anomalous behavior -5

The clone and installation process showed only expected behavior: git clone from GitHub, OpenClaw plugin SDK JIT compilation, and standard system services. No connections to the skill author's infrastructure were observed during installation.