Is 0xjordansg-yolo/openclaw-aisa-llm-gateway safe?

https://github.com/openclaw/skills/tree/main/skills/0xjordansg-yolo/openclaw-aisa-llm-gateway

88
SAFE

This skill is a legitimate LLM API gateway client that routes requests to 70+ models through the AIsa (aisa.one) third-party service. The code is clean with no prompt injection, no hidden execution, no canary tampering, and no anomalous install behavior. The primary risk is inherent to the skill's purpose: all user prompts pass through a third-party intermediary that could inspect or log conversations.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

MEDIUM All user prompts routed through third-party API gateway -15

By design, this skill routes all LLM API calls through api.aisa.one. While this is the explicitly stated purpose and not a hidden behavior, it means a third party (AIsa) can see, log, and potentially modify all user conversations and model responses. Users should understand they are adding a man-in-the-middle to their LLM interactions.

LOW Executable Python script included in skill -8

The skill ships llm_router_client.py which is executable Python code. The script is clean, uses only Python standard library, and contains no obfuscation or hidden functionality. It is a straightforward HTTP API client.

LOW Skill references multiple external URLs for agent to interact with -10

SKILL.md contains API endpoint URLs and documentation links that the agent may follow. All URLs point to the legitimate aisa.one service and its documentation. No deceptive or malicious URL redirection detected.

INFO API key credential management via environment variable -3

The skill requires AISA_API_KEY as an environment variable. This follows standard credential management patterns. The key is sent as a Bearer token in HTTP Authorization headers. No credential caching, file writing, or forwarding beyond the intended API endpoint was observed.

INFO Clean install with no anomalous behavior -5

The skill installed via a standard git clone with no post-install hooks, no network callbacks, and no filesystem changes outside the skill directory. All observed network traffic during install was to expected destinations (GitHub, Ubuntu update servers).