Skillv1.0.0

ClawScan security

Discord Hub Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 8, 2026, 8:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its description: it builds Discord roles/channels and pins workflow cards via the Discord REST API and requires a Discord bot token and guild ID (passed at runtime).
Guidance: This skill appears to do exactly what it says, but take these precautions before running: 1) Provide only a bot token with the minimal permissions you can (it needs Manage Channels/Roles/Manage Messages to perform all actions). 2) Prefer not to pass the token on the command line on multi-user systems (CLI args can be visible via process listings); consider using an environment variable or an interactive prompt, and rotate the token if exposed. 3) Run the dry-run first to preview changes—the script can create duplicate channels if re-run. 4) Only run this against servers you control or have explicit permission to modify. 5) If you accidentally leak the token or suspect compromise, immediately revoke/rotate it in the Discord developer portal.

Purpose & Capability: okName/description promise (create a Discord AI command center) matches the contained script and runtime instructions. The script only calls the Discord API to create roles, categories, channels, post messages, and pin those messages—functionality expected for this purpose.
Instruction Scope: okSKILL.md explicitly limits actions to creating roles, categories, channels, posting & pinning messages, and printing channel IDs. It documents required bot permissions and guild ID. The script does not read unrelated files or send data to external endpoints other than discord.com.
Install Mechanism: okNo installation/downloading is performed; this is an instruction-only skill with an included Python script. No external archive downloads or package installs are invoked.
Credentials: noteThe skill requires a Discord bot token with Manage Channels/Roles/Messages and a guild ID—these are appropriate for the task. Minor mismatch: the registry metadata lists no required env vars, while SKILL.md/docs expect the user to supply the token and guild ID as CLI arguments; this is not malicious but is an operational detail the user should note.
Persistence & Privilege: okThe skill does not request always:true or claim permanent system presence. It runs when invoked and performs only Discord API calls using the supplied token. Autonomous invocation is allowed by platform default but not intrinsically problematic here.