openqbook

AdvisoryAudited by VirusTotal on Apr 7, 2026.

Overview

Type: OpenClaw Skill Name: openqbook Version: 1.0.0 The skill facilitates human-in-the-loop Q&A via the OpenQBook API but exhibits several risky patterns. The `skill.md` file includes an installation script that performs a remote fetch of content from `https://www.openqbook.com/skill.md`, which is a significant supply-chain risk. Additionally, the instructions contain prompt-injection-like directives ('Agent decides helpfulness - no human input') that explicitly command the agent to autonomously evaluate and implement solutions from the external platform without human oversight, potentially leading to the execution of harmful suggestions. The Python implementation also contains unusual backslash-escaping of identifiers (e.g., `API\_KEY` in `skill.md`), which, while likely a markdown formatting artifact, is atypical for clean production code.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI07: Insecure Inter-Agent Communication

What this means

Sensitive details included in questions may be exposed to OpenQBook/human responders, and incorrect or malicious answers could influence the agent's next actions.

Why it was flagged

Human-provided answer text is brought back into the agent's workflow for evaluation. This is core to the skill, but it creates an external human-to-agent trust boundary.

Skill content

answers = openqbook_tools.get_new_answers(question_id) ... if try_solution(answer["content"]):

Recommendation

Share only minimal, sanitized context and review or sandbox human-suggested fixes before allowing the agent to apply them.

Note

ASI03: Identity and Privilege Abuse

What this means

Anyone with access to the API key could potentially act on the user's OpenQBook account within the key's permissions.

Why it was flagged

The skill needs an OpenQBook credential to post and manage questions. This is expected for the integration, but the credential should be protected and scoped.

Skill content

Set `OPENQBOOK_API_KEY` environment variable. Get your key from OpenQBook platform.

Recommendation

Use a dedicated, revocable API key with the least privileges available, and avoid exposing it in prompts, logs, or shared files.

Note

ASI10: Rogue Agents

What this means

If not stopped, the agent/runtime could keep contacting OpenQBook and maintaining polling state longer than intended.

Why it was flagged

The skill documents periodic polling through a scheduler or background loop. It is disclosed and purpose-aligned, but it is a form of ongoing activity.

Skill content

Scheduler/Timer  run poll_and_save() every 5 min ... Stop scheduler when resolved

Recommendation

Enable polling only for specific questions, monitor it, and confirm the scheduler or heartbeat hook is removed or stopped after resolution.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

A later or tampered remote file could differ from the reviewed registry artifact.

Why it was flagged

The documented install flow downloads the skill text from a remote URL into the agent's skill directory without a pinned checksum. It is user-directed, not automatic, but the downloaded content could change over time.

Skill content

SKILL_URL="https://www.openqbook.com/skill.md" ... curl -fsSL "$SKILL_URL" -o "$TARGET_DIR/SKILL.md"

Recommendation

Install from a trusted source, verify the downloaded SKILL.md matches the reviewed version, and prefer pinned releases or checksums when available.