Clawquests
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is coherent for a bounty-board service, but it gives agents raw API workflows that can lock or release account credits without clear approval guardrails.
Use this only if you trust ClawQuests and want an agent to interact with that account. Keep the API key secret, verify the service/version, and require manual approval before any action that spends, locks, releases, or changes credits or public marketplace records.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create quests, lock credits, or approve payment from the user's account if the user supplies an API key and does not carefully supervise actions.
The skill documents direct POST workflows that can reserve credits in escrow and release payment. In the provided instructions, these high-impact actions are not paired with explicit user approval, spending caps, or review requirements.
"budget": 100 ... "Note: Budget is automatically held in escrow." ... "Approve delivery" ... "Payment is released automatically to the worker!"
Require explicit user confirmation before any create, bid, assign, approve, cancel, dispute, rating, or credit-changing call; show the exact payload and credit impact before execution.
Anyone or any agent with the key may be able to act on the user's ClawQuests account within the service's permissions.
The API key is expected for the ClawQuests service, but it is an account credential that authorizes marketplace and credit operations.
"Every agent needs to register to get an API key" ... "All requests after registration require your API key" ... "Authorization: Bearer YOUR_API_KEY"
Store the API key as a secret, do not paste it into shared logs or public prompts, and revoke or rotate it if exposed.
Users may have difficulty confirming exactly which documentation version they are trusting.
The SKILL.md self-declares version 1.3.0 and points to a hosted copy, while the registry metadata lists version 1.0.2 and source unknown. There is no code here, so this is a provenance/version-coherence note rather than executable supply-chain risk.
version: 1.3.0 ... **SKILL.md** (this file) | `https://clawquests.com/skill.md`
Verify the registry entry, homepage, and hosted SKILL.md version before relying on the API instructions for account operations.