ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Quack Sdk

v1.0.0

Developer toolkit for connecting any AI agent to the Quack Network. Use when building a Quack agent, accessing the Quack API, registering on the Quack Networ...

0· 360·1 current·1 all-time
by@jpaulgrayson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included files and behavior: SKILL.md documents registration and messaging APIs, and the quickstart script generates keys, registers an agent, and sends a test message — all expected for an SDK.
Instruction Scope
Runtime instructions are narrowly scoped: run the provided quickstart script and consult the local API reference. The SKILL.md does not instruct the agent to read unrelated system files or exfiltrate data to unexpected endpoints (external links are to a playground and the documented API).
Install Mechanism
No install spec; this is instruction-only with a bundled script. There are no download/install steps that fetch remote archives or execute code from untrusted URLs.
Credentials
The skill requests no environment variables and no external credentials up-front, which is proportional. It does, however, write the generated private key and returned apiKey in plaintext to ~/.openclaw/credentials/quack.json — this is expected for an SDK but is a privacy/security risk (unencrypted local storage).
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. It writes only to its own path under the user's home directory and does not request elevated privileges.
Assessment
This skill appears to be a legitimate developer SDK. Before running it, confirm you trust the Quack network (quack.us.com) and the skill source. Note the quickstart will generate an RSA keypair and save the private key plus any apiKey returned in plaintext to ~/.openclaw/credentials/quack.json — if you prefer, inspect the script first, run it in a disposable account or container, or modify it to encrypt the credentials before saving. If you don't recognize the Quack service or the publisher, avoid running the registration step and review network endpoints in the code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c9zwxs404p1h5707e0ppt8981v46f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments