ClawHub

Quack Wallet

v1.0.0

Check balance and transfer Quack tokens via the Quack Network API. Use when checking wallet balance, sending payments, transferring tokens, or managing agent...

0· 298·1 current·1 all-time
by@jpaulgrayson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description align with the included scripts: both balance and transfer scripts call the documented Quack API. However the skill relies on a local credentials file (~/.openclaw/credentials/quack.json) containing an API key while the registry metadata declares no required credentials/primary credential. That omission is an inconsistency that should have been declared.
Instruction Scope
SKILL.md and the scripts are narrowly scoped: they read the local credentials file and call only the documented API base (https://quack.us.com) to get balance or post transfers. The instructions do not reference other system files, network hosts, or external endpoints beyond the Quack API.
Install Mechanism
No install spec (instruction-only), but the package includes two executable JS scripts that will be written to disk as part of the skill. There is no external download URL or installer, which lowers supply-chain risk, but included code will run locally and read the credentials path.
!
Credentials
The skill requires an API key (stored in ~/.openclaw/credentials/quack.json) but the registry lists no required env vars or primary credential. Requesting an API key to access the token API is reasonable, but failing to declare it in metadata is a mismatch and prevents automated reviewers from spotting that the skill needs secrets. Storing the key in a plaintext file at that path is also a security consideration.
Persistence & Privilege
always is false and disable-model-invocation is default (agent can invoke autonomously). The skill does not request permanent presence or attempt to modify other skills or system-wide configs.
What to consider before installing
This skill appears to do what it claims (check balance and send tokens) and only contacts the documented API, but exercise caution: it requires you to store your Quack API key in ~/.openclaw/credentials/quack.json even though the registry metadata doesn't declare that credential — that's an inconsistency. Before installing, verify the Quack API domain (https://quack.us.com) is legitimate, confirm you trust the skill owner, and consider these actions: (1) request that the skill metadata explicitly declare the required credential (primaryEnv or requires.env) so automated tooling can protect it; (2) avoid storing long-lived secrets in plaintext if possible (use a secrets manager or ephemeral key); (3) review or test the included scripts in a safe environment — note the transfer script will perform real token transfers and does minimal validation (amount can be parsed to negative/odd values); and (4) if you do provide a key, start with a least-privilege API key (limited transfer rights or low balance) to reduce impact in case of misuse.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bej4pajmz05k7xmxd7hjf6581x59m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments