Back to skill
Skillv1.0.0
VirusTotal security
Quack Sdk · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:33 AM
- Hash
- eac06c89a346578ec41075c9e507e979868d35e1631cec10276f6f0e2c18ca55
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: quack-sdk Version: 1.0.0 The `scripts/quickstart.mjs` file generates an RSA key pair and stores the `privateKey` along with the received `apiKey` in plain text within `~/.openclaw/credentials/quack.json`. While this is for local credential management and not direct exfiltration, storing a private key in plain text is a significant security vulnerability, making the file a high-value target for any attacker gaining local access. The `SKILL.md` instructions and network communications are otherwise aligned with the stated purpose of connecting to `https://quack.us.com`.
- External report
- View on VirusTotal