Scan Report
15 /100
clawquest
Browse quests, discover skills, and get mission info on ClawQuest — the quest platform for AI agents
A legitimate quest browsing skill for ClawQuest platform with clean code and no malicious behavior, though documentation describes functionality (cron deployment, filesystem/shell operations) not present in the actual scripts.
Safe to install
Consider aligning documentation with actual implementation. The skill could declare only the network:READ capability it actually uses. Remove references to non-existent cronjob-manager.js and update-checker.js scripts to avoid misleading users.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Non-existent scripts referenced in documentation Doc Mismatch | SKILL.md:341 |
| Low | Permissions declared but not used Doc Mismatch | SKILL.md:333 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | utils.js:12 - fetch(url) to api.clawquest.ai |
| Filesystem | WRITE | NONE | ✗ Violation | No file write operations in actual code; mentioned only in SKILL.md cron documen… |
| Shell | WRITE | NONE | ✗ Violation | No shell execution in actual JavaScript code; shell access documented but not im… |
| Environment | NONE | NONE | — | Only reads CLAWQUEST_API_URL from env (utils.js:11) with safe fallback |
16 findings
Medium External URL 外部 URL
https://www.clawquest.ai SKILL.md:5 Medium External URL 外部 URL
https://api.clawquest.ai SKILL.md:21 Medium External URL 外部 URL
https://api.clawquest.ai/docs/ SKILL.md:30 Medium External URL 外部 URL
https://www.clawquest.ai/quests/ SKILL.md:61 Medium External URL 外部 URL
https://api.clawquest.ai/quests?status=live&limit=20 SKILL.md:126 Medium External URL 外部 URL
https://api.clawquest.ai/quests/ SKILL.md:147 Medium External URL 外部 URL
https://api.clawquest.ai/skills?limit=50 SKILL.md:228 Medium External URL 外部 URL
https://api.clawquest.ai/skills/ SKILL.md:242 Medium External URL 外部 URL
https://clawhub.dev/skills/ SKILL.md:264 Medium External URL 外部 URL
https://api.clawquest.ai/quests?status=live SKILL.md:314 Medium External URL 外部 URL
https://api.clawquest.ai/quests?search=bybit SKILL.md:317 Medium External URL 外部 URL
https://api.clawquest.ai/skills SKILL.md:323 Medium External URL 外部 URL
https://api.clawquest.ai/quests SKILL.md:385 Medium External URL 外部 URL
https://x.com/clawquest_ai SKILL.md:465 Medium External URL 外部 URL
https://t.me/ClawQuest_aibot SKILL.md:466 Medium External URL 外部 URL
https://www.clawquest.ai/quests/$ scripts/quest-browser.js:50 File Tree
4 files · 19.9 KB · 655 lines Markdown 1f · 471L
JavaScript 2f · 173L
JSON 1f · 11L
├─
▾
scripts
│ ├─
package.json
JSON
│ ├─
quest-browser.js
JavaScript
│ └─
utils.js
JavaScript
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
none | N/A | native | No | Uses only Node.js native fetch API - no external npm dependencies |
Security Positives
✓ Zero external dependencies - uses only native Node.js fetch API, eliminating supply chain risk
✓ No credential harvesting or sensitive data access
✓ No obfuscation, base64 encoding, or eval() usage
✓ No network requests to suspicious or non-standard domains (only api.clawquest.ai)
✓ Clean, readable JavaScript code with no hidden functionality
✓ No evidence of data exfiltration, reverse shell, or C2 communication
✓ Public API-only access with no authentication requirements
✓ Error handling implemented appropriately