Security audit

Autothink 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate purpose, but it launches the local OpenClaw CLI through a shell with user-provided text and its documentation is inconsistent about what it actually does.

Install only if you trust this publisher and are comfortable with the skill invoking your local `openclaw` command. Prefer a corrected release that removes `shell: true`, narrows triggers to explicit commands, validates session IDs, and makes the v1/v2 behavior and persistence semantics consistent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The design explicitly disables automatic complexity analysis while the skill metadata claims intelligent automatic adjustment based on message complexity. This creates a security-relevant trust mismatch: operators and users may grant the skill broader trust or different expectations than its actual behavior, which can hide unexpected persistent state behavior and reduce transparency about how requests are handled.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The documented behavior is persistent manual mode switching, not automatic message-complexity analysis as advertised. In an agent skill, this kind of capability misrepresentation is dangerous because users and orchestrators may invoke it under false assumptions, leading to unintended high-thinking persistence, unexpected resource usage, and reduced ability to reason about the skill's effects.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The manifest claims intelligent automatic complexity analysis, while the visible documentation says the user manually chooses a mode and that no further analysis occurs. In an agent skill ecosystem, this kind of semantic mismatch is security-relevant because reviewers and users may approve or invoke the skill under false assumptions about autonomy, data handling, and decision logic.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: Claims of 'zero analysis overhead' and no need for complexity analysis contradict the stated purpose of automatic intelligent switching. While not directly exploitable like code execution, misleading performance and behavior claims can cause unsafe reliance on the skill and weaken review, especially if users expect automatic safeguards or adaptive reasoning that are not actually present.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The CLI launches `openclaw` with `shell: true` while passing user-influenced values such as `message` and `sessionId` as process arguments. Even though `spawn` is used, invoking a shell unnecessarily increases the attack surface for command injection or argument re-interpretation, and forwarding the full parent environment may expose secrets or dangerous configuration to the child process.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrase 'thinking mode' is broad enough to appear in ordinary conversation, which can cause accidental skill activation. In agent environments, unintended invocation can alter session state or route messages through unexpected logic, creating integrity and usability risks even without direct code execution.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The manifest advertises automatic complexity detection, dynamic mode switching, and persistent session-wide overrides without clearly constraining when the skill activates or how long state changes persist. In an agent setting, broad and sticky behavioral changes can unexpectedly alter future prompts and reasoning behavior beyond the user's immediate intent, increasing the risk of prompt-triggered manipulation or unintended degradation of safeguards.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrase "thinking mode" is generic enough to appear in normal conversation, which can cause unintended activation of the skill as a message preprocessor. In this context, accidental invocation could silently alter model behavior or session thinking settings without clear user intent, making it a genuine security and safety concern even if not overtly malicious.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal