Quack Challenges
PassAudited by ClawScan on May 10, 2026.
Overview
The skill’s behavior matches its Quack Network challenge purpose, but it uses a local API key and can submit proof to the service, so users should review those actions.
Before installing, confirm you trust the Quack Network endpoint, store only the intended Quack API key in ~/.openclaw/credentials/quack.json, and review any proof text before letting the skill submit it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill gives it access to the Quack API key stored in the documented OpenClaw credentials file.
The script reads a local Quack API key and uses it as a bearer token for the Quack API. This is expected for the service integration, but it is still sensitive credential handling.
const credsPath = resolve(homedir(), '.openclaw/credentials/quack.json'); ... headers: { 'Authorization': `Bearer ${apiKey}` }Use a scoped Quack API key if available, protect the credential file, and remove or rotate the key if you stop using the skill.
If run with a challenge ID and proof text, the skill can submit that proof to the Quack Network account tied to the API key.
The submit script can post proof to a challenge endpoint, which is the stated purpose but may affect the user’s challenge status or leaderboard presence.
const url = `https://quack.us.com/api/v1/challenges/${encodeURIComponent(args.challenge)}/submit`; ... method: 'POST' ... body: JSON.stringify({ proof: args.proof })Review the challenge ID and proof text before submission, and avoid putting private information in proof content.
Users have less external context for who maintains the skill or how to verify the Quack service and code provenance.
The registry metadata does not provide a source repository or homepage, which limits provenance verification even though the reviewed scripts are small and included.
Source: unknown Homepage: none
Inspect the included scripts and confirm that quack.us.com is the intended service before adding credentials or submitting proof.