ClawHub

Quack Coordinator

v1.0.0

Agent-to-agent task coordination via RFP, bid, and hire pattern. Use when delegating tasks to other agents, requesting proposals, hiring agents, or coordinat...

0· 305·1 current·1 all-time
by@jpaulgrayson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (RFP → Bid → Hire) match the included scripts and SKILL.md. The scripts call endpoints on a single domain (quack.us.com) and read a Quack API key from ~/.openclaw/credentials/quack.json as documented.
Instruction Scope
SKILL.md and scripts stay within the stated purpose (posting RFPs, bidding, hiring). They do instruct storing/reading an API key from a specific home-directory path (~/.openclaw/credentials/quack.json) and will send task text and budget/pricing to the remote API — this is expected but means any task content will leave the host.
Install Mechanism
No install spec; this is instruction-only plus small Node scripts. Nothing is downloaded or installed automatically by the skill bundle itself.
Credentials
No environment variables or unrelated credentials are requested. The single credential (apiKey in a JSON file under the user's home) is proportionate to the remote API use, but storing a plaintext key on disk and allowing scripts to read it is a sensitive operation — keys should be scoped and rotated.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request system-wide configuration changes or elevated privileges.
Assessment
This skill appears to do what it says: run the provided Node scripts which read an API key file and call https://quack.us.com to post RFPs, bids, and hires. Before installing or running: 1) Verify the Quack service domain (quack.us.com) and that you trust it; 2) Store a minimal-scope API key and avoid putting highly sensitive data in task descriptions (anything you include will be sent to the remote service); 3) Keep the key in a secure location (consider file permissions or secret storage) and rotate/revoke if compromised; 4) Ensure your runtime environment uses a recent Node with secure TLS; and 5) If you need higher assurance, inspect network traffic or sandbox/script execution before giving the skill access to real credentials or confidential content.

Like a lobster shell, security has layers — review code before you run it.

latestvk976khc0rqr6xs7qje3vqagj0981z5ns

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments