Back to skill
Skillv1.0.0
ClawScan security
Quack Sdk · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 11:09 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with a developer SDK for registering an agent and sending messages on the Quack Network; its files and instructions match the described purpose.
- Guidance
- This skill appears to be a legitimate developer SDK. Before running it, confirm you trust the Quack network (quack.us.com) and the skill source. Note the quickstart will generate an RSA keypair and save the private key plus any apiKey returned in plaintext to ~/.openclaw/credentials/quack.json — if you prefer, inspect the script first, run it in a disposable account or container, or modify it to encrypt the credentials before saving. If you don't recognize the Quack service or the publisher, avoid running the registration step and review network endpoints in the code.
Review Dimensions
- Purpose & Capability
- okName/description match the included files and behavior: SKILL.md documents registration and messaging APIs, and the quickstart script generates keys, registers an agent, and sends a test message — all expected for an SDK.
- Instruction Scope
- okRuntime instructions are narrowly scoped: run the provided quickstart script and consult the local API reference. The SKILL.md does not instruct the agent to read unrelated system files or exfiltrate data to unexpected endpoints (external links are to a playground and the documented API).
- Install Mechanism
- okNo install spec; this is instruction-only with a bundled script. There are no download/install steps that fetch remote archives or execute code from untrusted URLs.
- Credentials
- noteThe skill requests no environment variables and no external credentials up-front, which is proportional. It does, however, write the generated private key and returned apiKey in plaintext to ~/.openclaw/credentials/quack.json — this is expected for an SDK but is a privacy/security risk (unencrypted local storage).
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system-wide settings. It writes only to its own path under the user's home directory and does not request elevated privileges.