Skillv1.0.0

ClawScan security

agent-council · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 1:13 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's README-like instructions claim a full 'toolkit' that creates agents, manages Discord channels, and patches gateway configs, but the package contains no scripts, no declared credentials, and no install artifacts — the capabilities claimed don't match what's actually provided.
Guidance: This document is a how-to, not a self-contained toolkit. Before installing or running anything: 1) Do not run gateway config patches, restart commands, or cron-job modifications blindly — inspect the JSON payloads and scripts first. 2) Verify the scripts referenced (scripts/create-agent.sh, scripts/*.py) actually exist and review their contents for dangerous actions. 3) Expect to need Discord credentials (bot token) and gateway/admin credentials to perform channel creation and config changes — provide least-privilege tokens and rotate them if used. 4) If you only want documentation, keep this as a guide; do not copy instructions that modify ~/.openclaw or system cron without backups. 5) Ask the publisher for the source repository or packaged scripts and for explicit lists of required environment variables and exact gateway changes; absence of that information is a red flag.

Review Dimensions

Purpose & Capability: concernThe skill is described as a 'complete toolkit' that creates autonomous agents, binds them to Discord channels, updates gateway config, and restarts services. However the package contains only an instruction document (SKILL.md) and no scripts, binaries, or declared credentials. Creating Discord channels and calling gateway APIs would normally require Discord tokens and gateway credentials; those are not requested or provided. This mismatch indicates the skill does not deliver the capabilities it advertises or omits necessary requirements.
Instruction Scope: concernThe runtime instructions tell the operator/agent to run scripts (scripts/create-agent.sh, python3 scripts/setup-channel.py, scripts/rename-channel.py), patch the OpenClaw gateway config, restart the gateway, and optionally create cron jobs and edit arbitrary workspace files. Those actions require filesystem and service control privileges and access to external APIs (Discord). The skill's instructions also suggest reading and updating workspace files and running commands that could affect system state — but the skill declares none of the credentials or files required to do this. The instructions therefore grant broad operational steps without providing the required code or clearly limiting scope.
Install Mechanism: noteThis is instruction-only with no install spec and no code files, which is lower risk from automatic code installation. However the documentation expects user-supplied or external scripts (scripts/*) and recommends copying files into ~/.openclaw/skills and running openclaw gateway config.patch. Because no scripts are packaged, following the instructions as-is will fail or will rely on externally obtained code—users should not blindly run the gateway patch or restart commands unless they verify the scripts and JSON payloads.
Credentials: concernThe skill makes explicit claims about calling the Discord API and modifying gateway configs but declares no required environment variables or primary credential. Real-world use would require at minimum a Discord bot token (or similar), gateway admin credentials, and possibly file-system permissions. The lack of any declared env vars or credential requirements is disproportionate and hides sensitive operations that would need secrets.
Persistence & Privilege: noteThe skill itself does not request 'always' presence and uses default model invocation settings, which is normal. That said, the instructions explicitly tell the operator to modify gateway configuration and enable the skill in gateway entries and to restart the gateway — actions that change system-wide agent behavior. Although the skill package doesn't assert persistent privileges, following its instructions can confer broad, persistent changes to the host; users should treat those steps as privileged operations requiring review.