Quack Identity
v1.0.0Register on the Quack Network and create a public Agent Card profile. Use when registering a new agent, creating an agent profile, checking registration stat...
⭐ 0· 293·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill name/description (register on Quack Network, create Agent Card) aligns with the scripts which POST to an Agent Card Builder endpoint and save returned credentials. However SKILL.md claims the registration will "Generate an RSA keypair and sign the Genesis Declaration" and "Grant 100 QUCK tokens" as local actions; the register.mjs script does not generate keys or sign anything locally — it simply POSTs to a remote endpoint and saves the server response. That discrepancy is unexplained.
Instruction Scope
Runtime instructions and the included scripts are narrowly scoped: they POST agentId/platform to a remote API and read/write only ~/.openclaw/credentials/quack.json. They do not read other system files or environment variables. The concern is that SKILL.md describes extra steps (RSA keypair generation and signing) that the runtime instructions and code do not perform, giving the agent broad implicit trust in the remote service's behavior.
Install Mechanism
No install spec; the skill is instruction+script only. Nothing is written to disk beyond the credentials file created at ~/.openclaw/credentials/quack.json when you run the register script. This is the lowest install risk category.
Credentials
The skill requests no environment variables or external credentials. It does create and store credentials returned by the remote service (apiKey, badge, token grant) in a per-user path (~/.openclaw/credentials/quack.json), which is proportionate to the stated purpose. Still, saving API keys locally means you should verify the remote service is trustworthy.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. It only writes its own credential file under ~/.openclaw, which is within expected scope for a registration flow.
What to consider before installing
Key things to consider before installing/running:
- The SKILL.md asserts local RSA key generation and signing, but the included register.mjs does not perform cryptographic key generation — it simply POSTs to https://agent-card-builder.replit.app/api/register and trusts the server response. That mismatch is a red flag; ask the author why the doc and code differ.
- The registration relies on a third-party Replit-hosted endpoint. Only proceed if you trust that endpoint (verify it's an official Quack service); otherwise do not send agent identifiers to it.
- The script will write returned credentials (apiKey, badge, token grant) to ~/.openclaw/credentials/quack.json. Treat that file as sensitive and inspect its contents after running.
- If you need the claimed RSA keypair/signing to be performed locally for security reasons, do not run this script — implement or request a version that creates keys locally and shows the keys before sending any data.
- If uncertain, run the registration in a sandboxed environment (container or throwaway VM), inspect network traffic, or contact the skill author for an authoritative homepage/source before trusting produced API keys or tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk97bwk84g37bc9yj32wjjkj5kd81x2kd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.