HypDiscordGOD
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: hypdiscordgod Version: 1.0.0 The hypdiscordgod skill bundle is a comprehensive and legitimate toolkit for developing Discord bots, dashboards, and related infrastructure. It provides well-structured templates for various environments (Node.js, Bun) and ORMs (Prisma, Drizzle), along with shell scripts for scaffolding projects. The code demonstrates security awareness by implementing CSRF protection (assets/dashboard-api-starter/src/csrf.ts), emphasizing the use of environment variables for secrets, and providing extensive documentation on best practices like least-privilege intents and secure OAuth handling. No indicators of malicious intent, data exfiltration, or harmful prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this starter is run on a reachable network, unauthorized callers could create or alter moderation records and audit entries, which could mislead staff or downstream automation.
The moderation dashboard starter exposes routes that write warning, moderation-action, and audit-log records without visible authentication, guild permission checks, CSRF checks, or route-level authorization.
app.use(cors()); ... app.post('/warnings', (req, res) => { ... INSERT INTO warnings ... }); ... app.post('/mod-actions', (req, res) => { ... INSERT INTO mod_actions ... });Before using this beyond local experimentation, add dashboard authentication, per-guild Manage Guild or moderator checks, CSRF protection for browser flows, input validation, and restrictive CORS.
A leaked or over-permissioned bot token could let someone control the bot in your Discord servers.
The scaffolded bot logs into Discord with a bot token. This is necessary for the skill's stated purpose, but it grants whatever Discord permissions the user assigns to that bot.
await client.login(process.env.DISCORD_TOKEN);
Use least-privilege bot permissions and intents, store tokens only in protected environment variables or secret managers, and rotate tokens if exposed.
If the API process or memory is compromised while sessions are active, OAuth tokens could be abused to access Discord identity and guild-list information.
The dashboard API starter stores Discord OAuth access and optional refresh tokens in an in-memory session map. This is disclosed as development-grade in the skill guidance, but the data is sensitive.
accessToken: string; refreshToken?: string; ... sessions.set(sessionId, { discordUserId, accessToken, refreshToken, ... expiresAt ... });For production, use HTTPS, secure cookies, a hardened server-side session store, careful refresh-token handling, session expiration, and logout/rotation behavior.
Private Discord ticket conversations may remain on disk after a ticket is closed.
The ticket bot starter exports recent ticket-channel messages and attachment URLs to local transcript files. This is purpose-aligned and disclosed, but ticket transcripts can contain private support content.
const messages = await channel.messages.fetch({ limit: 100 }); ... fs.writeFileSync(filePath, transcript || '[empty transcript]\n', 'utf8');Set a clear transcript retention policy, restrict filesystem access, avoid storing unnecessary sensitive content, and tell server members how transcripts are handled.