Back to skill
Skillv1.0.0
ClawScan security
create-ticket · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 11:01 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and code align with its stated purpose (creating a private Discord channel) and it does not ask for unrelated credentials, install anything, or perform suspicious I/O.
- Guidance
- This skill appears to do what it says: return an action instructing the platform to create a private Discord channel for a given user. Before installing, ensure your OpenClaw instance's Discord adapter has the appropriate permissions and that you trust the skill owner and the adapter, since the platform will be able to create channels on your server. Also confirm you want the agent to be allowed to create channels autonomously under the platform's normal invocation rules. The code sanitizes the username for the channel name but does not validate userId format — ensure your callers provide a correct Discord user ID.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md, and index.js all describe creating a private Discord ticket channel. The code returns a structured action (CREATE_PRIVATE_CHANNEL) which an OpenClaw Discord adapter would execute; no unrelated permissions, binaries, or environment variables are requested.
- Instruction Scope
- okRuntime instructions in SKILL.md are narrowly scoped (only for unresolved/privacy-sensitive cases) and the handler only uses provided parameters (username, userId, issue). It does not instruct reading unrelated files, env vars, or transmitting data to external endpoints beyond the platform's Discord adapter. (Minor note: SKILL.md and code rely on the platform adapter to actually call Discord APIs.)
- Install Mechanism
- okNo install spec is provided (instruction-only with a small handler file), so nothing is written to disk or downloaded during install. This is low-risk and expected for this type of skill.
- Credentials
- okThe skill declares no required env vars or credentials. It depends on the platform's existing Discord integration to perform the channel creation, which is proportionate to its purpose. There are no requests for unrelated keys/secrets.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide persistence or modify other skills' configuration. Autonomous invocation is allowed (platform default) but the skill itself does not escalate privileges or demand permanent presence.