Quodd
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to match its stock-quote purpose, but it uses Quodd account credentials and stores a temporary Quodd token locally.
Install only if you trust this skill with your Quodd account credentials. Set the required environment variables securely, review the included Python script and publisher provenance, and remove ~/.openclaw/credentials/quodd-token.json if you want to clear the cached token.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can authenticate to Quodd as the configured user and a cached token may remain usable until it expires.
The skill needs Quodd account credentials and persists a reusable API token locally. This is expected for the stated API use and disclosed, but it is still sensitive account authority.
Requires `QUODD_USERNAME` and `QUODD_PASSWORD` environment variables to be set... Authentication tokens are cached at `~/.openclaw/credentials/quodd-token.json` for 20 hours
Use only credentials you are comfortable granting to the agent, store environment variables securely, and delete the cached token if you no longer want the skill to retain Quodd access.
You have less independent context for who maintains this skill before trusting it with Quodd credentials.
The registry does not provide a source repository or homepage for the skill package, reducing provenance context for code that handles credentials.
Source: unknown Homepage: none
Inspect the included script and verify the publisher or source through a trusted channel before installing and setting credentials.