ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Quack Memory

v1.0.2

Store and recall persistent memories via FlightBox (Quack Network). Use when storing agent memories, recalling past context, searching agent memory, or persi...

0· 456·1 current·1 all-time
by@jpaulgrayson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim persistent memory storage via FlightBox. The scripts call FlightBox endpoints (remember/recall/timeline/forget) and read a local quack.json for agentId/apiKey — this matches the described purpose.
Instruction Scope
Runtime instructions and scripts consistently instruct reading ~/.openclaw/credentials/quack.json and calling the FlightBox API. Minor inconsistency: SKILL.md shows a bash snippet creating a QUACK_KEY env var and documents an Authorization header with <QUACK_API_KEY>, but the provided scripts do not use an environment variable — they read the local credentials file directly.
Install Mechanism
No install spec or remote downloads. The skill is instruction-only with included JS scripts; nothing is fetched or written to disk during install by the skill itself.
Credentials
No environment variables or external credentials declared in registry metadata, but the scripts require a local credentials file (~/.openclaw/credentials/quack.json) containing apiKey and agentId. That is proportionate to the task but should be documented/verified (it relies on the quack-identity registration step).
Persistence & Privilege
always:false and normal model invocation settings. The skill does not modify other skills or global agent configuration and does not request persistent elevated privileges.
Assessment
This skill appears to do what it claims: it reads a local Quack credential file (~/.openclaw/credentials/quack.json) and sends memory data to FlightBox (https://flightbox.replit.app). Before installing, confirm that (1) the quack.json file is created by a trusted quack-identity flow and contains only the expected agentId/apiKey, (2) you are comfortable storing any agent memory on a third-party FlightBox service (sensitive data saved there will be transmitted off-host), and (3) you accept the small SKILL.md inconsistency where it references an env var (QUACK_API_KEY) but the scripts read the credentials file directly. If you need stricter isolation, review/modify the scripts to sanitize content before sending or run the skill in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk970s3s4nkmbh2d86g5fyfpaxd81xgmy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments