Skillv4.1.0

ClawScan security

Codecast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 3:39 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill largely does what it claims (stream agent output to Discord) but asks for and performs actions that aren't fully declared or proportionate (undocumented credentials, instructions to bypass model permissions, ability to write to /proc and kill processes, and to post file contents to remote webhooks).
Guidance: This skill will post live agent activity (including file reads/edits, command outputs, and potentially file contents) to a Discord webhook or channel. Before installing: 1) Review all included scripts (they are shipped with the skill) and understand they can clone repos and run code (PR review mode) and can inject input into/kill agent processes. 2) Do NOT enable the suggested Claude 'bypassPermissions' setting or use --dangerously-skip-permissions unless you fully understand the security impact — it disables model-level protections. 3) Treat any bot token or webhook as sensitive: prefer one-way webhook posting (no BOT token) if you only need relay output; restrict allowed Discord users and channels when using the bridge. 4) Run the skill in a sandbox/container or isolated account, and avoid mounting host secrets into the working directories. 5) If you plan to use PR review or parallel modes, ensure gh/git access is limited and consider running those features on a throwaway runner. 6) The registry metadata omitted several env/credential requirements — expect to supply CODECAST_BOT_TOKEN / .bot-token, a webhook URL file, and gh CLI credentials; only proceed if you accept that scope and have audited the scripts.

Review Dimensions

Purpose & Capability: concernThe name/description (stream coding sessions to Discord) matches the shipped scripts, but the skill requires additional runtime capabilities not declared in the registry metadata: Discord bot token usage, webhook storage, GH/gh CLI access (for PR review), and macOS keychain access are referenced in docs/scripts but not listed as required env vars. PR review mode clones repos and runs arbitrary code — coherent with a review feature but raises extra privileges that a user should expect to be explicitly requested.
Instruction Scope: concernRuntime instructions and scripts go beyond just relaying stdout: they advise creating ~/.claude/settings.json to 'bypassPermissions' and use --dangerously-skip-permissions (disabling agent permission checks), clone remote repos and run agents against them, read and post file contents to Discord (potentially leaking secrets), write session breadcrumbs in /tmp, and create/consume named pipes or /proc/<pid>/fd/0 to forward input. These steps can enable exfiltration and remote-driven command execution and are not limited to benign streaming.
Install Mechanism: noteThere is no install spec (instruction-only), and all code is included in the bundle (shell + Python). That lowers remote-install risk, but some runtime dependencies are implied (python3, unbuffer, curl, gh, websocket-client) yet not centrally declared. No external download URLs are used, which is good; however missing dependency declarations mean operators might run the skill without realizing required packages and capabilities.
Credentials: concernRegistry metadata lists no required env vars, but SKILL.md and scripts expect/optionally use several secrets and env vars: WEBHOOK_URL/.webhook-url, CODECAST_BOT_TOKEN (or .bot-token), BRIDGE_CHANNEL_ID, BRIDGE_ALLOWED_USERS, CODECAST_RATE_LIMIT, and optional keychain access. The skill also relies on gh CLI authentication for PR review mode. Secrets and credential access are not declared up-front, which is disproportionate to a simple 'stream to Discord' description and hides the credential blast radius.
Persistence & Privilege: notealways:false (no forced persistence) and user-invocable:false are appropriate. The skill does create /tmp/dev-relay-sessions entries, writes stream.jsonl and breadcrumb files, and the bridge can send signals (os.kill) and write to /proc/<pid>/fd/0 or a named pipe to inject stdin into other processes. Those are powerful runtime privileges (process control and inter-process I/O) — coherent with an interactive relay but worth caution. No evidence the skill modifies other skills or global agent configs beyond its own files.