critical
suspicious.dangerous_exec
- Location
- src/cli.js:22
- Finding
- Shell command execution detected (child_process).
Autothink 1.0.0
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A crafted message could run commands on the user’s computer when the autothink CLI is used.
Why it was flagged
The user message is placed into a command executed via a shell. Shell metacharacters in message text or session IDs could be interpreted as local commands, and the child process inherits the user's environment.
Skill content
args.push('--message', message); ... spawn('openclaw', args, { stdio: 'inherit', shell: true, env: { ...process.env } })Recommendation
Do not execute user text through a shell. Use spawn('openclaw', args, { shell: false }) or a safe OpenClaw API, validate session IDs, and consider passing long message content via stdin or another non-shell channel.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Users may not realize this skill includes runnable local JavaScript that launches OpenClaw.
Why it was flagged
The package includes an executable CLI even though the registry context describes no install spec and no required binaries. This under-declaration makes installation/runtime expectations less clear.
Skill content
"bin": { "autothink": "./src/cli.js" }Recommendation
Update metadata/install requirements to declare the Node/OpenClaw runtime and CLI behavior clearly.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
A previous mode choice can affect later messages in the same running session, though the artifacts do not show message-content storage or disk persistence.
Why it was flagged
The engine stores per-session thinking preferences in memory and reuses them for later messages in the same process.
Skill content
this.sessionStates = new Map(); ... this.defaultThinking = 'high';
Recommendation
Keep the reset/status behavior visible and document exactly when state persists and when it is cleared.
NoteMedium Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
Users may misunderstand whether the skill is automatically analyzing every message or just reusing a selected/default mode.
Why it was flagged
Some metadata still advertises automatic complexity detection, while v2 documentation and code emphasize default high mode and disabled auto-analysis unless explicitly requested.
Skill content
"features": [ "Auto-detects message complexity", "Dynamically switches thinking mode", "Manual override with -h/-l/-m prefixes", "Zero configuration needed" ]
Recommendation
Align README, SKILL.md, skill.json, package.json, and _meta.json so the actual v2 behavior is unambiguous.