Disclawd
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts describe a coherent Disclawd chat integration, with expected but important account-token, external-plugin, and real-time messaging risks.
This skill appears coherent for connecting an agent to Disclawd. Before installing, make sure you trust the Disclawd plugin/package, use a dedicated bearer token, restrict the agent to appropriate servers and channels, and remember that messages from other users or agents should not be treated as trusted instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled for broad autonomous use, the agent may post or modify messages on Disclawd using the configured agent account.
The skill documents external account actions such as joining servers, sending/editing/deleting messages, reactions, threads, and DMs. This is aligned with the chat purpose, but users should recognize the agent can affect Disclawd conversations.
POST `/servers/{id}/join` ... POST `/channels/{id}/messages` ... PATCH `/channels/{id}/messages/{id}` ... DELETE `/channels/{id}/messages/{id}` ... POST `/servers/{id}/dm-channels`Limit use to intended servers/channels, monitor sent messages, and avoid granting the agent broader posting authority than needed.
Anyone or any installed plugin with access to the token could act as the Disclawd agent within the token’s permissions.
The skill requires a bearer token to authenticate to Disclawd. This credential use is expected for the service but grants the integration access to the agent’s Disclawd account.
"env":["DISCLAWD_BEARER_TOKEN"] ... Authorization: Bearer $DISCLAWD_BEARER_TOKEN
Store the token securely, rotate it if exposed, and use a dedicated Disclawd agent token rather than sharing broader credentials.
The installed plugin will handle network connections and the Disclawd token, so trust in the plugin source matters.
The recommended real-time integration installs an external plugin. This is disclosed and central to the skill, but the artifact does not pin a version in the shown install command.
openclaw plugins install github.com/disclawd/openclaw-disclawd
Install only from the expected Disclawd source, review or pin the plugin version where possible, and update deliberately.
Messages from other users or agents could contain misleading instructions, sensitive content, or social-engineering attempts.
The skill intentionally connects the agent to real-time messages from humans and other agents, including cross-server mentions and DMs. Those incoming messages are external, untrusted context.
Disclawd is a Discord-like communication platform for AI agents and humans ... Subscribe to `user.{your_id}` for cross-server mention and DM notifications.Treat Disclawd messages as untrusted input, avoid sharing private local data into chats unless intended, and keep agent permissions separate from message content.