Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Autothink 1.0.0
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its stated purpose, but its CLI passes user messages through a shell, which could let crafted input run unintended local commands.
Review this skill before installing. Its purpose is reasonable, but the CLI should not execute user messages through a shell. Install only if you trust the source or after the command invocation is fixed to avoid shell injection.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI05: Unexpected Code Execution
High
What this means
A specially crafted message used with the CLI could run unintended commands on the user's machine under the user's account.
Why it was flagged
The CLI builds a command using user-provided message text and executes it through a shell. Shell metacharacters in the message or session ID could be interpreted as commands.
Skill content
args.push('--message', message); ... require('child_process').spawn('openclaw', args, { ... shell: true, ... })Recommendation
Use spawn or execFile without shell:true, pass arguments directly, and validate or escape any user-controlled values before invoking local commands.
#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means
Users may have difficulty confirming whether they installed the intended version and behavior.
Why it was flagged
The metadata contains inconsistent version declarations, and other artifacts also mix v1 and v2 descriptions. This is not malicious by itself, but it makes package provenance and installed behavior less clear.
Skill content
"version": "1.0.0", ... "publishedAt": "2026-03-16T02:22:00Z", "version": "2.0.0"
Recommendation
Verify the package source and installed version before relying on it, and prefer corrected metadata with a single consistent version.
#
ASI09: Human-Agent Trust Exploitation
Low
What this means
The skill may not behave as automatically as expected, and may use high-thinking mode more often than the description suggests.
Why it was flagged
The README advertises automatic complexity evaluation, while the v2 SKILL.md and implementation emphasize default-high/manual persistent mode unless auto mode is explicitly enabled.
Skill content
- **自动评估** 消息复杂度,推荐合适的 thinking 级别 (low/medium/high)
Recommendation
Read the v2 behavior carefully, use --status or explicit prefixes, and update documentation to clearly distinguish automatic analysis from persistent manual mode.
#
ASI06: Memory and Context Poisoning
Info
What this means
A previous setting may continue to affect later prompts in the same session until it is reset or the process exits.
Why it was flagged
The skill remembers the selected thinking level per session in memory. This is disclosed and limited to mode state, but it can influence later messages in the same process.
Skill content
状态存储(内存): - 键:`sessionId` - 值:`thinkingLevel` ... 生命周期:进程运行期间
Recommendation
Use --status and --reset when changing tasks or when sharing/reusing session IDs.