Security audit
Thinkly Openclaw Plugin
Security checks across malware telemetry and agentic risk
Overview
The plugin's code, config schema, and runtime instructions are coherent with its stated purpose: it requires a Thinkly API URL/key (and optionally an LLM apiKey) to send clips/ingests to Thinkly and does not request unrelated credentials or system access.
This plugin appears to do what it says: saving conversation clips and ingesting files/URLs into your Thinkly instance. Before installing: (1) confirm the apiUrl points to a trusted Thinkly endpoint and provide a scoped API key (not a high-privilege account credential), (2) if you enable llm.provider/model/apiKey, understand that user messages will be sent to that external LLM provider for intent parsing — and that high-confidence parses can auto-run /clip or /ingest, which will send conversation content/files to Thinkly, (3) avoid enabling llm.* or test with non-sensitive data if you don't want message text to leave your host, and (4) review Thinkly's privacy/security policy for how uploaded content is stored and used.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
