Back to plugin

Security audit

Thinkly Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, config schema, and runtime instructions are coherent with its stated purpose: it requires a Thinkly API URL/key (and optionally an LLM apiKey) to send clips/ingests to Thinkly and does not request unrelated credentials or system access.

This plugin appears to do what it says: saving conversation clips and ingesting files/URLs into your Thinkly instance. Before installing: (1) confirm the apiUrl points to a trusted Thinkly endpoint and provide a scoped API key (not a high-privilege account credential), (2) if you enable llm.provider/model/apiKey, understand that user messages will be sent to that external LLM provider for intent parsing — and that high-confidence parses can auto-run /clip or /ingest, which will send conversation content/files to Thinkly, (3) avoid enabling llm.* or test with non-sensitive data if you don't want message text to leave your host, and (4) review Thinkly's privacy/security policy for how uploaded content is stored and used.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.