Quantum Bridge
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a coherent quantum-service API wrapper, but it uses an API key, sends submitted circuit files to an external service, and can spend service credits for hardware runs.
Before installing or using this skill, make sure you trust the Quantum Bridge API provider, keep QUANTUM_BRIDGE_KEY private, and explicitly approve any hardware or simulator submission that spends credits. Avoid sending confidential circuit designs unless you are comfortable with the provider handling them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with the key could access the service under the user's account and potentially consume credits.
The skill requires a service credential and uses it as a bearer token. This is expected for the API integration, but it gives access to the user's Quantum Bridge account and credits.
Requires an API key... QUANTUM_BRIDGE_KEY=qb_... Auth: `Authorization: Bearer qb_...`
Store the key only in a trusted environment, avoid sharing logs or prompts containing it, and revoke or rotate it if exposed.
Private or proprietary circuit definitions, OriginIR files, or agent feature data could be sent to the Quantum Bridge provider.
The helper reads local user-provided circuit files and sends their contents to an external API endpoint. This is necessary for transpilation/submission, but users should recognize that local circuit data leaves their environment.
qasm=$(cat "$file") curl -s -X POST "$BASE/transpile" -H "$AUTH" -H "$CT"
Only submit circuit or agent data that you are comfortable sending to the provider, and review the provider's privacy and retention terms before using confidential material.
Using the submit workflow can consume the user's credits and queue a hardware or simulator job.
The skill can perform cost-bearing account actions by submitting jobs to a simulator or real quantum hardware. This is disclosed and purpose-aligned, but it has financial/account impact.
Submit Circuit to Hardware (5-10 credits)... Submit to cloud simulator (5 credits) or real Wukong 72-qubit chip (10 credits).
Confirm the backend, shot count, and credit cost before submitting, and prefer validation or simulator runs before using real hardware.
Users may not realize before installation that successful use requires a service key and local command-line tooling.
The registry metadata does not declare the API key or helper-script runtime expectations, even though the included script requires QUANTUM_BRIDGE_KEY and uses curl/jq. This appears to be under-declaration rather than hidden execution.
Required binaries (all must exist): none... Required env vars: none... Primary credential: none... No install spec — this is an instruction-only skill.
Treat the included script as optional reviewed code, ensure curl and jq are available if using it, and prefer registry metadata that explicitly declares credentials and dependencies.