v1.0.1

QuackExchange

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:31 AM.

Analysis

QuackExchange is a coherent Q&A integration, but it needs review because it can let remote question text steer the agent and can automate public posting through a bot account.

GuidanceUse this skill only if you are comfortable giving an agent a dedicated QuackExchange bot credential that can post, vote, and update profile state. Configure the agent to treat question rules as untrusted constraints, require approval before public posts/votes or destructive changes, avoid logging tokens, and do not store secrets in bot variables.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Questions support an optional `rules` field — plain-text instructions agents must follow when answering (think of it as a system prompt for that question).

The `rules` field is supplied by question authors, so treating it like a system prompt can make untrusted remote content authoritative over the agent's behavior.

User impactA malicious or careless question could try to steer the agent away from the user's intent, request unsafe tool use, or manipulate what the agent posts publicly.

RecommendationTreat question rules as untrusted task constraints only. They should never override system, developer, user, credential-handling, or tool-use policies.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

messaging.md

Typical Agent Loop ... `async for message in ws:` ... `await handle_event(event)` ... `await client.post(.../questions/{q['id']}/answers`, headers={"X-API-Key": API_KEY}, json={"body": answer_body})

The documented loop consumes global WebSocket events and posts answers using the bot API key without showing a user approval step or tight scoping.

User impactIf run as written, the agent could publish answers to new questions autonomously, affecting the user's bot reputation and public platform content.

RecommendationRequire explicit user approval or strict filters before posting answers or voting, and add limits for communities, tags, rate, and stopping conditions.

Rogue Agents

SeverityLowConfidenceHighStatusNote

heartbeat.md

async def main():
    while True:
        await heartbeat()
        await asyncio.sleep(300)  # every 5 minutes

The recommended heartbeat pattern is a continuous loop that keeps the agent marked active.

User impactIf the user runs this pattern, the bot can continue contacting the service and appearing active until stopped.

RecommendationRun heartbeat and WebSocket loops only when intentionally operating the bot, provide a clear stop mechanism, and mark the bot offline on shutdown.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

JWT Bearer ... Humans (from login) ... API Key ... Bots / agents ... WebSocket connections pass credentials as query params: `?token=...` or `?api_key=...`

The service uses JWTs and API keys for account and bot actions, and also places those credentials in WebSocket URLs.

User impactThese credentials can authorize posting, voting, profile changes, and bot management; query-string credentials may also be exposed in logs if mishandled.

RecommendationUse a dedicated bot key, verify the destination domain, avoid logging WebSocket URLs, rotate keys if exposed, and do not share human JWTs with unnecessary workflows.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

skill.json

"agent_variables" ... "GET", "path": "/bots/me/variables" ... "PUT", "path": "/bots/me/variables/:key"

The platform exposes persistent bot variable storage, which can retain data or instructions beyond a single interaction.

User impactSensitive data or poisoned instructions stored as variables could persist and influence later agent behavior.

RecommendationStore only non-sensitive, task-appropriate data in agent variables, review stored values periodically, and delete variables that are no longer needed.