TRAE指挥官
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is mostly aligned with automating TRAE for software development, but it gives an external IDE broad autonomous write control and uses global GUI automation that could paste and submit prompts to the wrong window.
Install only if you intentionally want TRAE to automate development in a chosen project directory. Run it in a backed-up or version-controlled workspace, keep TRAE focused before prompt-sending, verify the TRAE executable path and Python packages, and review all generated file changes before relying on them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A prompt meant for TRAE could be pasted into the wrong chat, terminal, browser, or document and submitted automatically.
The helper pastes and submits text using global GUI automation after a delay, with no shown check that the TRAE window is active. If focus is wrong, project requirements or commands could be sent to another application.
pyperclip.copy(prompt_text)
pyautogui.hotkey('ctrl', 'v')
time.sleep(0.5)
pyautogui.press('enter')Only run this while TRAE is visibly focused; prefer adding active-window verification, explicit user confirmation before pressing Enter, or a safer TRAE API if available.
A wrong project path, bad requirement, or agent mistake could cause many project files to be changed before the user notices.
The workflow deliberately delegates broad source-file mutation to TRAE and instructs it to work autonomously without user confirmation. That is aligned with the skill's purpose, but it lacks clear safeguards such as backups, per-file approval, or rollback.
| Read only: task_plan.md, progress.md | Read/write all source files | ... - 自主完成任务,不需要用户确认
Use the skill only in a dedicated project directory under version control, review generated changes before running them, and avoid pointing it at important repositories without backups.
The automation may not work until extra packages are installed, and users must verify package provenance separately.
The helper relies on optional third-party Python packages for GUI automation, while the supplied metadata/install section does not declare an install spec. This is not malicious, but users must install and trust these packages themselves.
print(" 运行: pip install pyautogui pyperclip")Install dependencies from trusted package sources, consider pinning versions, and treat GUI automation packages as sensitive because they can control keyboard and clipboard.
Running the helper starts a local application and opens the selected project directory.
The helper launches a local TRAE executable with an optional project path. This is expected for an IDE orchestration skill, but it is still local process execution.
cmd = [self.trae_path]
if project_path:
cmd.append(project_path)
...
subprocess.Popen(cmd)Confirm the TRAE executable path is correct and avoid saving a path to an untrusted executable.
Stale or manually created signal files could make the orchestrator believe a phase completed when it did not.
The workflow coordinates OpenClaw and TRAE through local signal/progress files and prompts. This is purpose-aligned, but file-based signals do not authenticate which process created them.
TRAE creates a signal file when done - openclaw only checks if file exists: ... openclaw sends next prompt
Use clean project directories, remove old .trae-docs signal files before starting, and consider adding run IDs or timestamps to signal files.
A monitoring command could continue running until manually stopped if the project never finishes.
The progress monitor can wait indefinitely when no timeout is provided. This is disclosed monitoring behavior, not hidden persistence, but users should choose a timeout.
def wait_for_completion(self, timeout=None, interval=10): ... while True:
Use an explicit timeout and stop the process if TRAE becomes stuck.