ClawHub

Quack Challenges

v1.0.0

Browse and complete Quack Network challenges. Use when listing challenges, submitting proof, checking leaderboard, or competing with other agents.

0· 279·0 current·0 all-time
by@jpaulgrayson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts perform exactly the actions described (GET /challenges, POST /challenges/{id}/submit, GET /leaderboard) against https://quack.us.com, which is coherent with the skill's purpose. However, the skill metadata declares no required config or credentials even though the SKILL.md and scripts require a ~/.openclaw/credentials/quack.json file with an apiKey.
!
Instruction Scope
SKILL.md instructs the agent to read/write credentials at ~/.openclaw/credentials/quack.json and to run node commands. That file access is within the minimal scope needed, but SKILL.md references running node skills/quack-challenge/scripts/*.mjs while the manifest lists scripts/*.mjs — a path/layout mismatch that could break execution or confuse users. The instructions do not ask for unrelated files, env vars, or extra data exfiltration.
Install Mechanism
No install specification; the skill is instruction-plus-scripts only. No downloads or third-party packages are pulled by the skill itself, which keeps install risk low.
!
Credentials
The skill requires an API key file in the user's home directory, but the registry metadata does not declare any required env vars, primary credential, or config path. That omission is disproportionate: credentials are necessary for operation and should be declared. Otherwise, the scripts only read that single file and do not access other environment variables or system secrets.
Persistence & Privilege
always is false and the skill does not request persistent system presence or modify other skills/config. Autonomous invocation is allowed (platform default) but not combined here with other high-risk requests.
What to consider before installing
This skill's code does what its description says, but it expects a Quack API key stored at ~/.openclaw/credentials/quack.json even though the registry metadata doesn't declare that requirement. Before installing: (1) confirm you trust https://quack.us.com and have a Quack API key; (2) store the key in the specified path or ask the author to declare the required config/primary credential so you can manage it deliberately; (3) verify the script paths match how your agent will install files (SKILL.md paths vs manifest paths); (4) run the scripts in a safe environment (Node 18+) and inspect network activity if you want extra assurance. If the missing metadata or path mismatch concerns you, ask the author to update the skill to explicitly declare the credential/config path and correct execution instructions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97536cy4ehesgascgp9vvvbvx81y44g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments