BookStack
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: bookstack Version: 1.0.3 The skill provides a straightforward API integration for BookStack, allowing CRUD operations on books, chapters, pages, and shelves. It correctly retrieves API credentials (BOOKSTACK_URL, BOOKSTACK_TOKEN_ID, BOOKSTACK_TOKEN_SECRET) from environment variables, which is necessary for its stated purpose. The `SKILL.md` file contains standard documentation and usage examples without any prompt injection attempts or instructions for the agent to perform unauthorized actions. The `scripts/bookstack.py` code is a clean Python script using `urllib.request` for API calls, and it does not contain any evidence of data exfiltration (beyond using the provided BookStack credentials for authentication), malicious execution, persistence mechanisms, or obfuscation. While the skill can create/update content with user-provided HTML/Markdown, this is its intended function as an API client, and any misuse would stem from a prompt injection against the agent, not from malicious intent within the skill itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent invoking these commands could delete wiki content from the connected BookStack instance.
The script includes direct DELETE operations against BookStack resources. This is consistent with the documented CRUD purpose, but it is a high-impact action if invoked on important documentation.
def delete_book(args):
"""Delete a book"""
api_call("DELETE", f"books/{args.id}")Use a least-privilege BookStack token where possible and require explicit user confirmation before running delete or broad update commands.
Anyone with access to the configured token can potentially access or modify BookStack content according to that token’s permissions.
The skill uses BookStack API credentials from environment variables to authenticate requests. This is expected for the integration, but the token carries delegated account authority.
TOKEN_ID = os.getenv('BOOKSTACK_TOKEN_ID', '')
TOKEN_SECRET = os.getenv('BOOKSTACK_TOKEN_SECRET', '')
...
"Authorization": f"Token {TOKEN_ID}:{TOKEN_SECRET}"Store the token securely, avoid sharing it in prompts or logs, and use a BookStack role limited to the actions this skill actually needs.
Users have less external context for verifying the publisher or upstream project for this skill package.
The registry metadata does not identify an upstream source or homepage. The included code is visible and simple, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown Homepage: none
Review the included script before use and prefer trusted registry owners or source-linked releases for production credentials.