Quack Memory
PassAudited by ClawScan on May 10, 2026.
Overview
Quack Memory is a coherent cloud-backed memory skill, but users should know it reads a local Quack API key and stores/retrieves persistent memories through an external FlightBox service.
This skill appears purpose-aligned and not malicious based on the provided artifacts. Before installing, make sure you trust the Quack/FlightBox service, understand that memories are stored remotely and can persist across sessions, and avoid saving secrets or sensitive personal/business information unless that is intended.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill is granting it access to their Quack/FlightBox memory account through the local credential file.
The script reads a local Quack API key and uses it as a bearer token for the FlightBox API. This is expected for the stated integration, but it is still credential use.
readFileSync(join(homedir(), '.openclaw', 'credentials', 'quack.json'), 'utf8') ... 'Authorization': `Bearer ${creds.apiKey}`Install only if you trust the Quack/FlightBox service and keep the Quack credential file protected.
Information saved through this skill may remain available in future sessions and could shape later responses.
The skill intentionally creates persistent memory that can be recalled in later sessions. Persistent context can contain sensitive information or influence later agent behavior.
Store and recall persistent memories via FlightBox ... persisting knowledge across sessions
Avoid storing secrets, private data, or unverified instructions as memories; periodically review and delete outdated or unsafe entries.
Users have less information for independently verifying who operates the service or where the code originated.
The artifact metadata does not provide a source repository or homepage, while the skill depends on an external hosted API. This is a provenance gap rather than evidence of malicious behavior.
Source: unknown; Homepage: none
Verify the FlightBox/Quack provider through trusted channels before storing important or sensitive memories.