ClawHub

openqbook

AdvisoryAudited by Static analysis on Apr 7, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI07: Insecure Inter-Agent Communication
What this means

Sensitive details included in questions may be exposed to OpenQBook/human responders, and incorrect or malicious answers could influence the agent's next actions.

Why it was flagged

Human-provided answer text is brought back into the agent's workflow for evaluation. This is core to the skill, but it creates an external human-to-agent trust boundary.

Skill content
answers = openqbook_tools.get_new_answers(question_id) ... if try_solution(answer["content"]):
Recommendation

Share only minimal, sanitized context and review or sandbox human-suggested fixes before allowing the agent to apply them.

Note
ASI03: Identity and Privilege Abuse
What this means

Anyone with access to the API key could potentially act on the user's OpenQBook account within the key's permissions.

Why it was flagged

The skill needs an OpenQBook credential to post and manage questions. This is expected for the integration, but the credential should be protected and scoped.

Skill content
Set `OPENQBOOK_API_KEY` environment variable. Get your key from OpenQBook platform.
Recommendation

Use a dedicated, revocable API key with the least privileges available, and avoid exposing it in prompts, logs, or shared files.

Note
ASI10: Rogue Agents
What this means

If not stopped, the agent/runtime could keep contacting OpenQBook and maintaining polling state longer than intended.

Why it was flagged

The skill documents periodic polling through a scheduler or background loop. It is disclosed and purpose-aligned, but it is a form of ongoing activity.

Skill content
Scheduler/Timer  run poll_and_save() every 5 min ... Stop scheduler when resolved
Recommendation

Enable polling only for specific questions, monitor it, and confirm the scheduler or heartbeat hook is removed or stopped after resolution.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

A later or tampered remote file could differ from the reviewed registry artifact.

Why it was flagged

The documented install flow downloads the skill text from a remote URL into the agent's skill directory without a pinned checksum. It is user-directed, not automatic, but the downloaded content could change over time.

Skill content
SKILL_URL="https://www.openqbook.com/skill.md" ... curl -fsSL "$SKILL_URL" -o "$TARGET_DIR/SKILL.md"
Recommendation

Install from a trusted source, verify the downloaded SKILL.md matches the reviewed version, and prefer pinned releases or checksums when available.