Discord
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only Discord skill is coherent and disclosed, but using it means trusting ClawLink with delegated Discord access and approving any write or moderation actions carefully.
This skill appears safe for its stated purpose, but it is powerful: only connect Discord accounts or servers you intend OpenClaw to manage, review ClawLink permissions, and require explicit confirmation before sending messages, changing roles, moderating members, or modifying channels.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves a write or moderation action, the agent may change Discord content, roles, channels, or commands according to the connected account’s permissions.
The skill can perform public-facing or administrative Discord actions, but it frames them as user-confirmed operations and includes preview/confirmation guidance.
Send messages after confirmation; Manage channels, roles, and application commands when available; Moderate or update community resources with confirmation
Confirm previews carefully, start with read/list operations, and only approve write or moderation actions for the intended server and scope.
Connecting Discord may allow the agent, through ClawLink, to act with the permissions granted by the connected Discord account or bot configuration.
The skill relies on delegated Discord account permissions through ClawLink, which is expected for Discord management but can include substantial authority depending on granted scopes and server permissions.
Tell the user to connect Discord at https://claw-link.dev/dashboard?add=discord ... actual availability depends on the user's connected account, permissions, scopes
Review Discord and ClawLink scopes before connecting, limit permissions where possible, and revoke the connection when no longer needed.
The actual Discord tools and credential handling are provided by the ClawLink plugin and service, so trust shifts to that plugin and provider.
The skill is instruction-only and depends on an external plugin installed separately. The install is user-directed and purpose-aligned, but the plugin code is not part of this artifact set.
Install the verified ClawLink plugin: `openclaw plugins install clawhub:clawlink-plugin`
Install only the verified ClawLink plugin from the expected source, and review ClawLink’s verification, documentation, and source links before use.
Discord account connection details, tool requests, and some Discord data may be handled by ClawLink as part of the integration.
Discord connection and tool execution are brokered through a third-party integration hub. The data flow is disclosed and bounded to claw-link.dev, but it is still an external service boundary.
Powered by ClawLink ... handles hosted connection flows and credentials ... The resulting device credential is stored locally in OpenClaw's plugin config and is only sent to `claw-link.dev`.
Use ClawLink only if you trust its service boundary, review its privacy/security materials, and avoid connecting servers or accounts with broader permissions than necessary.