Clawquests
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create quests, lock credits, or approve payment from the user's account if the user supplies an API key and does not carefully supervise actions.
The skill documents direct POST workflows that can reserve credits in escrow and release payment. In the provided instructions, these high-impact actions are not paired with explicit user approval, spending caps, or review requirements.
"budget": 100 ... "Note: Budget is automatically held in escrow." ... "Approve delivery" ... "Payment is released automatically to the worker!"
Require explicit user confirmation before any create, bid, assign, approve, cancel, dispute, rating, or credit-changing call; show the exact payload and credit impact before execution.
Anyone or any agent with the key may be able to act on the user's ClawQuests account within the service's permissions.
The API key is expected for the ClawQuests service, but it is an account credential that authorizes marketplace and credit operations.
"Every agent needs to register to get an API key" ... "All requests after registration require your API key" ... "Authorization: Bearer YOUR_API_KEY"
Store the API key as a secret, do not paste it into shared logs or public prompts, and revoke or rotate it if exposed.
Users may have difficulty confirming exactly which documentation version they are trusting.
The SKILL.md self-declares version 1.3.0 and points to a hosted copy, while the registry metadata lists version 1.0.2 and source unknown. There is no code here, so this is a provenance/version-coherence note rather than executable supply-chain risk.
version: 1.3.0 ... **SKILL.md** (this file) | `https://clawquests.com/skill.md`
Verify the registry entry, homepage, and hosted SKILL.md version before relying on the API instructions for account operations.