LG ThinQ
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: lg-thinq Version: 1.0.0 The skill is designed to control LG ThinQ appliances and generally appears benign, using standard configuration practices and a legitimate third-party library. However, the `scripts/thinq.py` file includes a `raw` command-line argument that allows sending arbitrary JSON payloads to the device control API. While not explicitly used for malicious purposes within the provided files, this capability (`thinq.py raw <device> <json>`) provides an unconstrained interface for device control, which could be exploited by a compromised agent or a malicious prompt to perform actions beyond the skill's stated high-level functions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or user could send broader appliance-control requests than the skill description suggests, potentially changing physical device behavior without the same guardrails as the documented commands.
The script exposes a generic raw device-control command that can pass arbitrary payloads to the ThinQ control API, while SKILL.md documents only specific temperature and mode commands.
print(" raw <device> <json> Send raw command") ... return await api.async_post_device_control(device_id, payload)Remove the raw command, or require explicit user confirmation plus allowlisted schemas, model-specific validation, and clear documentation before any raw control request is sent.
Anyone or any process that can read this token file may be able to access or control the linked LG appliances through the API.
The skill requires a ThinQ Personal Access Token stored in a local file, which is expected for the service but grants access to the user's appliance account.
Get a Personal Access Token from https://connect-pat.lgthinq.com ... Store token: `echo "YOUR_TOKEN" > ~/.config/lg-thinq/token`
Use a least-privileged token if LG supports it, restrict file permissions, and revoke the token if the device or account is no longer used.
Installing an unpinned dependency can introduce supply-chain risk if the package source or version is not verified.
The runtime depends on an external Python package, but the artifact has no install spec or version pin; the install is user-directed rather than automatic.
from thinqconnect.thinq_api import ThinQApi ... print("❌ thinqconnect not installed. Run: pip install thinqconnect")Document the dependency in an install spec, pin a known-good version, and install only from a trusted package source.
The cache may reveal private information about the user's home appliances to local users or processes with file access.
The skill caches the user's appliance list locally, including device identifiers and metadata.
DEVICES_CACHE = CONFIG_DIR / "devices.json" ... DEVICES_CACHE.write_text(json.dumps(devices, indent=2))
Store the cache with restrictive permissions, avoid sharing it, and delete it when no longer needed.