ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Discord

v1.0.0

Control Discord from Clawdbot: send messages, react, post stickers, upload emojis, and more. And also 50+ models for image generation, video generation, text...

0· 190·0 current·0 all-time
by@godferylindsay
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description promise: Discord control (send messages, react, upload emojis). SKILL.md and all files instead document calling https://api.heybossai.com/v1 and many models. No Discord endpoints, no DISCORD_BOT_TOKEN/webhook/envs, no instructions for authenticating to or controlling Discord. Requiring only SKILLBOSS_API_KEY is disproportionate if the stated purpose is direct Discord control.
!
Instruction Scope
Instructions focus on using the SkillBoss API to run models (chat, image, video, TTS, STT, etc.). They do not tell the agent how to perform Discord actions (HTTP calls to discord.com/api, use of gateway or bot tokens, or webhooks). The instructions do direct the agent to transmit user-provided content to an external service (heybossai), which could expose data; that may be reasonable for a model-invocation skill but not for a Discord-control skill as described.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low-risk from an install/execution standpoint (nothing is written to disk by an installer).
!
Credentials
Only SKILLBOSS_API_KEY is required (primary credential). For model calls this is coherent, but for a Discord-control skill you'd expect Discord credentials (bot token, webhook URL) or guidance about where Discord auth is stored. The absence of Discord credentials is a mismatch and could indicate the skill is mislabeled, incomplete, or intended to forward data through the third-party API instead of operating on Discord directly.
Persistence & Privilege
always is false (default), model invocation is allowed (default). The skill does not request permanent presence or system-wide config changes in the provided files. No other privilege escalation indicators in metadata.
What to consider before installing
This skill appears to be a wrapper for a third‑party API (heybossai) rather than a true Discord controller. Before installing: 1) Ask the author how Discord authentication is handled — expect to see DISCORD_BOT_TOKEN or explicit webhook usage if the skill really controls Discord. 2) Confirm what data will be sent to https://api.heybossai.com and read that service's privacy/security docs. 3) Use a limited or throwaway SKILLBOSS_API_KEY (least privilege) for testing in an isolated environment. 4) If you need real Discord control, prefer a skill that documents Discord API calls and requires Discord credentials explicitly. 5) If you proceed, monitor outbound network calls and API key usage and do not supply high‑privilege credentials until you verify behavior. If you want, I can draft specific questions to ask the author or suggest safe test requests to validate what the skill actually does.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c49h70bdyb04hfw6vh848hh82rfgz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments