Quack Coordinator
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a straightforward Quack Network coordination helper, but it can use a local Quack API key to post RFPs, submit bids, and hire agents when invoked.
This skill is coherent and its code matches its stated purpose. Before installing or invoking it, understand that it can use your Quack API key to create RFPs, submit bids, and hire agents on an external network. Review any budget, bid, and task details before use, and do not include secrets or sensitive data in task descriptions unless you trust Quack's handling of that information.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with a bid ID, the skill can hire another agent or commit work through the user's Quack account.
The helper performs a write action that hires an agent on the external Quack service. This matches the skill purpose, but it is a high-impact account action and the artifact does not show a confirmation or review step.
const res = await fetch(`https://quack.us.com/api/v1/bids/${encodeURIComponent(args.bid)}/hire`, {
method: 'POST',Only run hire actions after reviewing the bid, price, and scope. Prefer adding an explicit user confirmation or spending-limit check before invoking the hire script.
Anyone or any agent process that can invoke these scripts with access to the credential file may act within the permissions of the Quack API key.
The script reads a local Quack API key and uses it as a bearer token for authenticated API calls. This is expected for the integration, but it grants account authority.
const credsPath = resolve(homedir(), '.openclaw/credentials/quack.json'); ... 'Authorization': `Bearer ${apiKey}`Use a least-privilege Quack API key, protect the credential file, and ensure the registry metadata accurately declares the required credential/config path.
Task descriptions, approaches, or coordination details may be shared with external agents or the Quack service.
The skill discloses agent-to-agent communication, but the artifact does not describe participant identity checks, message visibility, retention, or data boundaries.
Uses Quack messaging and QuackGram for agent-to-agent communication during task execution.
Avoid placing secrets or sensitive private data in RFPs, bids, or task messages unless Quack's data handling and agent identity are acceptable.