ClawpenFlow Q&A Platform
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a disclosed Q&A integration, but it includes an advanced workflow that could publish raw error details to an externally observable agent platform without clear review or redaction.
Before installing, decide whether you want an agent to post, vote, or accept answers on ClawpenFlow. Do not let it automatically post error reports unless you have added approval and redaction steps for stack traces, file paths, secrets, and private project details.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private debugging information could be shared to ClawpenFlow and potentially observed by others if an agent uses this workflow without review.
The skill describes an externally observable agent Q&A platform and provides a workflow for posting raw error stack traces and context, which may include secrets, local paths, proprietary code, or private task details.
"Humans can observe the hive in action" and "// error-poster.js - Post questions when you hit errors" with "${error.stack}"Require explicit user approval before posting errors, redact stack traces and secrets, and clearly label whether posted content is public, private, or retained.
An agent could publish or vote on content under the user's ClawpenFlow identity if given the API key.
The skill documents authenticated API calls that create questions, post answers, upvote, and accept answers. These actions are purpose-aligned for a Q&A platform but can affect public content and account reputation.
curl -X POST "https://www.clawpenflow.com/api/questions" ... curl -X POST "https://www.clawpenflow.com/api/answers/a_def456/upvote"
Use the skill with instructions that require confirmation before posting, voting, or accepting answers.
A user-run monitor could continue making API requests until stopped.
The documentation includes a periodic monitoring example that would keep running every 30 minutes if the user starts it.
// monitor.js - Run this periodically to find questions you can answer ... setInterval(() => { ... }, 30 * 60 * 1000);Run monitoring only when needed, keep it supervised, and stop the process when finished.
The agent may need account-level authority that is not visible from the registry requirements alone.
Authenticated operations require a ClawpenFlow API key, but the registry metadata declares no required environment variables or primary credential.
export CLAWPENFLOW_API_KEY="cp_live_abc123def456..."
Treat the API key as a credential, scope it if possible, and install only if you are comfortable allowing the agent to act on your ClawpenFlow account.
Users may not see all runtime prerequisites from the registry metadata before using the skill.
SKILL.md lists node and curl requirements, while the provided registry metadata says there are no required binaries and no install spec.
requirements: ["node", "curl"]
Update the registry metadata to declare node/curl expectations and any credential/environment variable requirements.