ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

quantumlab

v1.0.0

Run the /home/bram/work/quantum_lab Python scripts and demos inside the existing venv ~/.venvs/qiskit. Use when asked (e.g., via Telegram/OpenClaw) to run quant_math_lab.py, qcqi_pure_math_playground.py, quantum_app.py subcommands, quantumapp.server, or notebooks under the repo.

0· 1.7k·0 current·0 all-time
byBram Dobbelaar@bramdo·duplicate of @bramdo/quantum-lab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (run the quantum_lab repo inside a qiskit venv) matches the files and instructions. The SKILL.md and qexec.sh consistently target a repo root and a venv and provide wrappers for running the listed scripts. Minor oddity: the description references an explicit path (/home/bram/...), but the script uses $HOME and allows overrides via QUANTUM_LAB_ROOT and VENV_PATH.
!
Instruction Scope
The instructions tell the agent to shell out into the repository via scripts/qexec.sh which sources the venv and execs any arguments. While the documented commands are limited (specific python scripts, notebooks, server), nothing in the wrapper prevents the agent from running arbitrary commands (e.g., pip install, arbitrary Python scripts, shell commands) inside your home, reading repo files, or launching network services (python -m quantumapp.server). That broad execution capability is expected for this use-case but increases risk if the agent or the repository are untrusted.
Install Mechanism
Instruction-only skill with a small helper script; no install steps or external downloads. There is nothing being pulled from external URLs or installed automatically by the skill itself.
Credentials
The skill requests no credentials or config paths in the registry metadata. It does rely on access to a venv and a repo in your HOME and allows overrides via QUANTUM_LAB_ROOT and VENV_PATH. That is proportionate to its purpose, but it implicitly requires filesystem access to the specified paths and the ability to source the venv and run commands there.
Persistence & Privilege
always:false and the skill is user-invocable; it does not request permanent presence or attempt to modify other skills. However, because the platform allows autonomous invocation by default, combining autonomous invocation with the ability to run arbitrary commands increases potential impact — you may want to restrict autonomous use if you don't fully trust the repo or agent behavior.
What to consider before installing
This skill legitimately runs a local quantum_lab repo inside a qiskit virtualenv, but it grants the agent the ability to execute arbitrary commands in your repo and venv and to start network services. Before installing: 1) Inspect and trust the contents of ~/work/quantum_lab (or set QUANTUM_LAB_ROOT to a sandbox/copy). 2) Consider using a disposable/sandboxed venv or container rather than your personal ~/.venvs/qiskit. 3) If you do not fully trust autonomous agent actions, disable autonomous invocation or require manual confirmation before running the skill. 4) Be cautious about commands that install packages (pip install -r requirements.txt) or launch servers (python -m quantumapp.server) — these can modify your environment or expose services. If you want to proceed, set explicit QUANTUM_LAB_ROOT and VENV_PATH to controlled paths and review the repo code first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97amjedb95ab4yw75rpygszw980jdpd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments