Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
HypDiscordGOD
v1.0.0Build, extend, debug, scaffold, and package Discord bots and bot systems. Use when asked to create a Discord bot, scaffold a new bot project, add slash comma...
⭐ 0· 78·0 current·0 all-time
by@hypjo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included assets: the repo contains many Discord bot, dashboard, worker, and DB starters that fit the stated purpose. The included scripts and templates (discord.js, discord.py stubs, Prisma/Drizzle starters, dashboard/API starters, ticket bot) are consistent with a scaffolding/debugging skill.
Instruction Scope
SKILL.md instructs the agent to inspect repositories, scaffold minimal runnable systems, modify projects in place, and validate with dry runs or type checks. Those instructions stay within the expected scope for a scaffolding/debugging skill and reference only Discord API interactions and local project changes.
Install Mechanism
This is instruction-only (no install spec). The skill nevertheless bundles many asset files/templates but does not instruct downloading arbitrary code at install time. Low install mechanism risk.
Credentials
The skill metadata declares no required environment variables or primary credential, but SKILL.md and many bundled code files clearly expect multiple secrets and runtime envs (examples observed: DISCORD_TOKEN, CLIENT_ID, GUILD_ID, DISCORD_CLIENT_SECRET, DISCORD_REDIRECT_URI, API_TOKEN, DATABASE_URL or DATABASE_PATH, SESSION_COOKIE_SECRET, STAFF_ROLE_ID, TICKET_CATEGORY_ID, etc.). The omission of declared env requirements is an incoherence: the skill will require sensitive tokens and DB connections to run and will write to local files (tickets.db, moderation.db, transcripts/*.txt). The primary credential should reasonably be the Discord bot token; its absence in metadata is notable.
Persistence & Privilege
always: false and normal model invocation settings. The skill does write files/databases within a project (SQLite files, transcripts) and creates runnable scaffolds, which is expected for this purpose. It does not request permanent platform-level presence or modify other skills' configs according to the provided bundle.
What to consider before installing
This skill bundles complete Discord bot and dashboard starters that will work but expect you to provide secrets and a runtime environment. Before installing or running it: (1) review the code for the env vars it uses — notably DISCORD_TOKEN, CLIENT_ID, DISCORD_CLIENT_SECRET, DISCORD_REDIRECT_URI, API_TOKEN, DATABASE_URL/DATABASE_PATH, SESSION_COOKIE_SECRET, STAFF_ROLE_ID, TICKET_CATEGORY_ID, etc. — and only supply secrets you intend to use; (2) be aware the starters create local DB files (e.g., tickets.db, moderation.db) and write transcript files to a transcripts/ directory — run in a sandbox or appropriate working directory; (3) the dashboard code performs Discord OAuth and stores session tokens in an in-memory store (development-grade) and uses signed cookies — set SESSION_COOKIE_SECRET and configure secure cookies/HTTPS in production; (4) verify any endpoints and job enqueueing logic if you plan to expose the API publicly (API_TOKEN is used by requireApiToken); (5) if you need the agent to run code or modify a repo, inspect changes before committing and avoid running in environments containing other sensitive credentials. The main inconsistency is metadata not declaring the sensitive envs this skill will need — treat that omission as a reason to manually audit before use.assets/dashboard-api-starter/src/auth.ts:7
Environment variable access combined with network send.
assets/ticket-bot-starter/src/index.ts:36
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk979t9ytk4vtjyxc8s30z8d22583v8ne
License
MIT-0
Free to use, modify, and redistribute. No attribution required.