Is aisadocs/openclaw-aisa-llm-image-video-qwen-wan26-gemini-3-pro-image safe?

https://github.com/openclaw/skills/tree/main/skills/aisadocs/openclaw-aisa-llm-image-video-qwen-wan26-gemini-3-pro-image

84
SAFE

This skill wraps the AIsa third-party media generation API and is functionally transparent: SKILL.md contains no prompt injection directives, the Python client uses only stdlib and makes documented API calls, and the git install was a clean sparse checkout touching only GitHub. The primary concerns are runtime privacy (all prompts, parameters, and image reference URLs are transmitted to aisa.one, a third-party intermediary) and a batch read of all six credential canary files at audit events 1416-1423 whose triggering process is not visible in the truncated log — most likely the audit harness's own canary verification, consistent with all canary files being confirmed intact post-install. Users should treat this skill as transmitting all generation prompts externally and ensure no sensitive context enters image or video prompts.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (8)

MEDIUM Unexplained batch read of all credential canary files at audit event 1416-1423 -18

At unix timestamp 1771735233 (audit events 1416-1423), all six monitored credential files were opened and read in rapid succession: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json. This access occurs after all visible skill-installation EXECVEs (last at event ~1221) and after the audit harness had already completed its skill-file collection phase (events 704-729). No corresponding EXECVE entry is visible in the truncated audit log for this second access batch. The most probable explanation is the audit harness performing its final canary integrity verification, which is consistent with the canary check result showing all files intact and unmodified. However, the absence of a visible triggering process means this cannot be definitively ruled as benign.

MEDIUM All generation prompts transmitted to unauthenticated third-party intermediary (aisa.one) -10

Every image and video generation request dispatched by this skill sends the full user prompt, model parameters, and image reference URLs to api.aisa.one, operated by a third party (AIsa). This intermediary claims to proxy Google Gemini and Alibaba DashScope APIs but is not a first-party endpoint. If an agent is instructed to generate media that incorporates contextual information (e.g., 'generate an image of the project I am working on'), sensitive working-context data would be transmitted externally. The video generation endpoint also sends img_url, which may be a private or internal URL.

LOW SKILL.md references llms.txt endpoint that agent may fetch autonomously -12

SKILL.md explicitly names https://aisa.mintlify.app/llms.txt as a machine-readable documentation source with the framing 'all pages available at'. Some LLM agent frameworks (including Claude Code) support autonomous URL fetching for context enrichment. If an agent fetches this URL, the returned content is not audited here and could contain adversarial instructions. The risk is indirect and depends on the agent's URL-fetching policy.

LOW Executable Python script ships as part of skill bundle -8

The skill includes media_gen_client.py which is explicitly invoked via python3. The script is fully readable, uses only Python stdlib, makes no subprocess calls, and contains no obfuscation. Its presence as executable code is consistent with the skill's documented purpose. At runtime it makes outbound HTTPS calls to api.aisa.one.

LOW Runtime outbound HTTPS to third-party API endpoint -10

When invoked, the Python client unconditionally contacts api.aisa.one over HTTPS for both image and video operations. There is no opt-out, no local processing path, and no certificate pinning. A MitM or DNS hijack of aisa.one could intercept API keys and prompt content.

LOW img_url parameter leaks caller-supplied URLs to AIsa infrastructure -8

The video-create subcommand requires an img_url argument that is transmitted verbatim to aisa.one. There is no sanitization, allowlist, or local download-then-reupload path. If an agent is directed to use a private S3 presigned URL, internal service endpoint, or user-session-scoped URL as a reference image, that URL is exfiltrated to the AIsa operator and potentially to Alibaba DashScope.

LOW AISA_API_KEY exposed to third-party on every call with no rate limiting -20

The skill transmits AISA_API_KEY in the Authorization header on every HTTP request. No cost caps, quota checks, or per-request logging are implemented. An attacker who can cause the agent to invoke this skill repeatedly (e.g., via a looping prompt) could exhaust the user's API credits. The key value is also exposed to aisa.one's TLS termination point.

INFO Clean sparse checkout — only expected GitHub connection observed 0

The install connected exclusively to github.com (140.82.121.4:443) for a sparse checkout of the specific skill subdirectory. No other external connections were made during install. Post-install connection diff shows no new listeners or established connections.