Quack Memory
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill is granting it access to their Quack/FlightBox memory account through the local credential file.
The script reads a local Quack API key and uses it as a bearer token for the FlightBox API. This is expected for the stated integration, but it is still credential use.
readFileSync(join(homedir(), '.openclaw', 'credentials', 'quack.json'), 'utf8') ... 'Authorization': `Bearer ${creds.apiKey}`Install only if you trust the Quack/FlightBox service and keep the Quack credential file protected.
Information saved through this skill may remain available in future sessions and could shape later responses.
The skill intentionally creates persistent memory that can be recalled in later sessions. Persistent context can contain sensitive information or influence later agent behavior.
Store and recall persistent memories via FlightBox ... persisting knowledge across sessions
Avoid storing secrets, private data, or unverified instructions as memories; periodically review and delete outdated or unsafe entries.
Users have less information for independently verifying who operates the service or where the code originated.
The artifact metadata does not provide a source repository or homepage, while the skill depends on an external hosted API. This is a provenance gap rather than evidence of malicious behavior.
Source: unknown; Homepage: none
Verify the FlightBox/Quack provider through trusted channels before storing important or sensitive memories.