AutoThink 安全扫描报告 — 可信 | ClawSafe

5 /100

AutoThink

Automatically adjust OpenClaw's thinking level based on message complexity with persistent session mode switching

AutoThink is a legitimate, dependency-free thinking-mode manager that safely spawns the openclaw binary with no malicious indicators.

技能名称AutoThink

分析耗时43.3s

引擎pi

✓

可以安装

No action needed. The skill is safe to use as designed.

安全发现 2 项

严重性	安全发现	位置
提示	Version string inconsistency 文档欺骗 skill.json declares version '1.0.0' while _meta.json and SKILL.md declare '2.0.0'. This is a cosmetic documentation inconsistency with no security impact. `"version": "1.0.0"` → Unify version strings across all metadata files before release.	`skill.json:3`
提示	spawn with shell:true in CLI 代码执行 cli.js uses child_process.spawn with shell:true to launch the openclaw binary. Args are passed as an array with no shell string interpolation, so there is no command injection risk — this is standard Node.js CLI practice. `const proc = require('child_process').spawn('openclaw', args, { stdio: 'inherit', shell: true, env: { ...process.env } });` → shell:true is unnecessary here but not dangerous given array-based arg construction. Could be removed for clarity.	`src/cli.js:29`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✓ 一致	cli.js:29 — spawns 'openclaw' binary with documented flags; this is the skill's …
文件系统	`NONE`	`NONE`	—	No filesystem access found in any source file
网络访问	`NONE`	`NONE`	—	No network requests found
环境变量	`NONE`	`NONE`	—	process.env only read for OPENCLAW_SESSION_ID and AUTOTHINK_DEBUG, no secret enu…
技能调用	`READ`	`READ`	✓ 一致	Engine exposes processMessage/analyzeComplexity as documented API
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

9 文件 · 27.6 KB · 1110 行

Markdown 3f · 486L JavaScript 3f · 486L JSON 3f · 138L

├─ ▾ 📁 src

│ ├─ 📜 cli.js JavaScript 180L · 4.9 KB

│ ├─ 📜 hook.js JavaScript 47L · 1.1 KB

│ └─ 📜 index.js JavaScript 259L · 7.3 KB

├─ 📋 _meta.json JSON 50L · 1.3 KB

├─ 📝 DESIGN_V2.md Markdown 164L · 4.0 KB

├─ 📋 package.json JSON 23L · 454 B

├─ 📝 README.md Markdown 129L · 2.6 KB

├─ 📋 skill.json JSON 65L · 1.3 KB

└─ 📝 SKILL.md Markdown 193L · 4.7 KB

✓ Zero external dependencies — no supply chain attack surface

✓ No credential harvesting or sensitive file/path access

✓ No network requests or data exfiltration

✓ No obfuscation, base64-encoded code, or anti-analysis techniques

✓ All subprocess execution is intentional (spawning openclaw) and documented

✓ Clean in-memory state management with no persistence to disk

✓ No hidden functionality — all behavior is readable in source files