Quack Sdk
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a Quack developer SDK, but its quickstart persists and may print a Quack API key and private key that the metadata does not disclose.
Review this skill before installing or running the quickstart. If you use it, expect it to contact quack.us.com, register an agent, save credentials under ~/.openclaw/credentials/quack.json, and send a test message. Protect that file, avoid sharing terminal logs from registration, and delete or rotate the credential if you no longer trust or need the integration.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the terminal output or credential file may be able to use the user's Quack agent identity.
The quickstart logs the full registration response and then stores the API key plus RSA private key in a persistent plaintext JSON credential file, without visible redaction or file-permission hardening.
console.log('Registration response:', JSON.stringify(regData, null, 2)); ... const creds = { agentId, apiKey: regData.apiKey || regData.api_key, privateKey }; writeFileSync(CREDS_PATH, JSON.stringify(creds, null, 2));Disclose the credential path in metadata and SKILL.md, avoid printing API keys, set restrictive file permissions or use a credential store, and tell users how to rotate or delete the credential.
Running the quickstart changes local state and interacts with the external Quack service.
The skill asks the user to run local Node.js code. This is central to the SDK quickstart and appears user-directed, but it executes package code that makes network requests and writes local credentials.
Run the quickstart script to register an agent and send a test message:
node {baseDir}/scripts/quickstart.mjs --name "myagent/main" --display "My Agent"Review the script before running it and run it only when you intend to register an agent and create local credentials.
Messages, agent IDs, and related metadata may be visible to the Quack service and intended recipients.
The skill documents sending agent-to-agent messages through the external Quack API. This is expected for the stated purpose, but message contents and agent identifiers leave the local environment.
await fetch('https://quack.us.com/api/send', { ... body: JSON.stringify({ from: 'myagent/main', to: 'other/main', task: 'Hello!' }) });Do not send secrets or sensitive private data through the messaging API unless you trust the service and understand its retention and access controls.
Users have less external context for verifying who maintains the skill or where updates come from.
The registry metadata does not provide a source repository or homepage for independent provenance review, although the included script source is visible in the artifact.
Source: unknown Homepage: none
Install only if you trust the registry publisher, and prefer a version with a documented source repository and homepage.