Is aisadocs/openclaw-aisa-llm-image-video safe?

SKILL.md instructs the agent to discover available API endpoints by consulting https://aisa.mintlify.app/llms.txt. If the agent fetches this URL during task planning or execution, attacker-controlled content at that endpoint is injected into the agent's working context. The mintlify documentation platform is also referenced for multiple specific API pages, each a potential injection point. This technique is a well-documented secondary prompt injection vector requiring no modification to the skill file itself.

Both the Gemini image endpoint (https://api.aisa.one/v1) and the Wan 2.6 video endpoint (https://api.aisa.one/apis/v1) route through AIsa, a Chinese third-party aggregator. The AIsa operator receives every user prompt, the AISA_API_KEY, all image content submitted as img_url references, and all generation parameters. No privacy policy, data retention policy, or audit logging disclosure is provided within the skill. Users installing this skill should be aware they are consenting to a data-sharing relationship with an undisclosed third party.

The video-wait subcommand's _download_to_file() function downloads content from video_url as returned in the api.aisa.one task status response body, with no URL scheme validation, hostname allowlist, or content-type verification. If the AIsa API is compromised, returns a misconfigured response, or is intentionally malicious, it could supply a video_url pointing to an internal network service, a file:// path, or an attacker-controlled HTTPS endpoint. The downloaded bytes are written to disk at the agent-specified output path.

Both the image and video-wait subcommands accept a --out argument that is passed directly to open() after os.makedirs() creates the full directory hierarchy. There is no path canonicalization, no restriction to a safe output directory, and no validation that the path stays within the current working directory. An agent operating under adversarial instructions (e.g., via a prompt injection) could be directed to write generated content to ~/.bashrc, ~/.ssh/authorized_keys, or other sensitive locations writable by the agent process.

The entirety of SKILL.md (the content injected into the agent's system prompt) and README.md are written in Simplified Chinese. Non-Chinese-speaking users and automated English-language security reviewers cannot easily verify that the instructions the agent receives match the claimed functionality. This is not evidence of malice but represents a meaningful audit gap.

Auditd PATH records show /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json were opened at timestamp 1771934009 (approximately 5 seconds after skill installation completed). All files are confirmed intact by the monitoring system's canary integrity check. Timing, access-only (no write) pattern, and absence of correlated outbound network traffic are consistent with the oathe monitoring infrastructure performing its final integrity verification pass rather than skill-initiated reads. The Python script contains no code referencing these paths.

The skill installed cleanly from the openclaw GitHub monorepo. The only external HTTPS connection during clone was to 140.82.121.3:443 (github.com). The Ubuntu system connections to 91.189.91.48:443 and 185.125.188.59:443 (Canonical/Ubuntu) are consistent with standard MOTD update checks triggered by SSH session establishment and are not skill-initiated. The before/after connection diff shows no new persistent listening ports or established connections attributable to the skill.