Skillv1.0.0

ClawScan security

Discord Server Admin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 18, 2026, 12:03 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated, narrow Discord administration purpose and only require a bot token; nothing in the files suggests hidden endpoints or unrelated permissions.
Guidance: This tool is coherent with its description, but it can perform destructive actions (delete channels/roles). Only provide a bot token with the minimum permissions needed (avoid Administrator), use a dedicated bot account, and audit or rotate the token if you stop using the skill. Review and run the script in a safe environment (or a test server) first to confirm behavior. If you want to allow autonomous agent actions, ensure the agent is configured to ask for confirmation before performing writes to production servers.

Purpose & Capability: okName/description, SKILL.md, and the shipped script all align: the tool lists/edits channels and roles and assigns/removes roles via Discord Bot API. No unrelated services, credentials, or binaries are requested.
Instruction Scope: okSKILL.md and the script limit actions to channels, roles, and member role assignment and explicitly exclude bans/kicks/webhooks/bulk actions. The runtime instructions only reference Discord API endpoints and local tools (curl, python3).
Install Mechanism: okNo install spec; the skill is instruction-only with a single helper script. Nothing is downloaded from external URLs or written to system locations by an installer.
Credentials: okThe only secret required is a Discord bot token (DISCORD_BOT_TOKEN or --token). That is appropriate and proportional for a bot that performs writes to a guild via Discord's API.
Persistence & Privilege: okalways is false and the skill does not attempt to modify other skills or system-wide configs. It can be invoked autonomously by the agent (platform default), which is expected for skills.