Codecast
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Codecast clearly streams coding sessions to Discord, but it also encourages unrestricted agent permissions and includes bridge/review modes that can enable unsafe local actions.
Install only if you understand that coding-agent output, file previews, and command results will be sent to Discord. Avoid the global Claude permission-bypass setup, restrict the Discord bridge to specific channels and users, and do not use PR review mode on untrusted PRs until the eval-based command construction is fixed.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A coding agent launched through this workflow may read, write, and run commands without normal confirmation, increasing the blast radius of mistakes or prompt-injected instructions.
The setup recommends globally disabling Claude Code permission prompts and allowing all actions, while SKILL.md examples also use --dangerously-skip-permissions.
"defaultMode": "bypassPermissions", "allow": ["*"]
Do not require global permission bypass. Prefer per-project approvals, sandboxed working directories, and explicit confirmation for file writes, shell commands, network access, and destructive actions.
If the bridge is running, a Discord user who can reach it could terminate arbitrary local processes by PID, not just Codecast sessions.
The Discord !kill handler passes a user-supplied PID directly to a function that sends SIGTERM/SIGKILL, without verifying that the PID belongs to an active Codecast session.
def kill_session(pid): ... os.kill(pid, signal.SIGTERM) ... os.kill(pid, signal.SIGKILL) ... ok, msg = kill_session(parts[1])
Only allow killing PIDs listed in /tmp/dev-relay-sessions, require an allowlisted channel/user, and consider confirmation or disabling remote kill by default.
Reviewing a maliciously crafted PR could cause unintended shell commands to run on the user's machine before or during the agent session.
The review prompt is built from PR metadata and then interpolated into a shell string executed with eval, allowing quotes or shell metacharacters in untrusted PR content to affect local command execution.
AGENT_CMD="claude -p --dangerously-skip-permissions --output-format stream-json --verbose '${REVIEW_PROMPT}'" ... eval "bash '$SCRIPT_DIR/dev-relay.sh' $RELAY_FLAGS -- $AGENT_CMD"Remove eval and build commands with shell arrays; pass prompts as arguments without shell re-parsing, and safely escape or store untrusted PR text in a file.
Discord messages from unintended users or channels could be forwarded into a live coding agent, and session status/log commands could expose development activity.
The bridge defaults are documented as watching all channels and allowing all users, while advanced mode says plain Discord text is auto-forwarded if one session is active.
`BRIDGE_CHANNEL_ID` | Channel for bridge to watch | All; `BRIDGE_ALLOWED_USERS` | User IDs for bridge | All
Require explicit channel and user allowlists before starting the bridge, disable plain-text auto-forwarding by default, and use explicit !send commands with authorization checks.
Private code, command output, or secrets accidentally printed during a session may remain in local temporary logs for several days.
The skill retains raw session event logs locally for replay, which can include code, file paths, command output, and agent messages.
Event logs: `/tmp/dev-relay.XXXXXX/stream.jsonl` (7-day auto-cleanup)
Avoid streaming secrets, use --skip-reads when appropriate, review Discord audience permissions, and manually delete relay directories after sensitive sessions.
Users must manage extra local packages and secrets themselves, and misconfigured file permissions could expose Discord credentials.
The setup requires manual dependency installation and local credential files even though the registry metadata declares no primary credential or required environment variables.
pip install websocket-client ... echo "https://discord.com/api/webhooks/<ID>/<TOKEN>" > {baseDir}/scripts/.webhook-urlDeclare webhook/bot-token requirements in metadata, pin optional Python dependencies, and keep .webhook-url and .bot-token chmod 600 or use a secure secret store.