Discli
v0.6.2Discord server management CLI. Use when you need to manage Discord servers — channels, roles, permissions, messages, embeds, file uploads, emojis, invites, a...
⭐ 0· 72·0 current·0 all-time
byIbrahim@ibbybuilds
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Discord server management) align with what the skill requires: the discli binary and a BOT_TOKEN. The npm install instructions in SKILL.md match the stated source (GitHub/@ibbybuilds). No unrelated services, credentials, or binaries are requested.
Instruction Scope
SKILL.md instructs sending messages, uploading local files, reading/searching messages and audit logs, and performing destructive actions (delete, kick, ban) — all expected for a management CLI. It also instructs using discli init --token <token>, which can leak tokens if passed on the command line; SKILL.md otherwise declares BOT_TOKEN as the primary environment variable. SOUL.md includes persona directions to 'scan the messages' and 'read the channel' — these are within scope for an admin bot but are privacy-relevant and give the agent discretion to read server content.
Install Mechanism
There is no automated install spec in the skill bundle (instruction-only). SKILL.md recommends installing the npm package globally (npm install -g @ibbybuilds/discli). That is a standard, expected distribution method for a CLI; the package source is a GitHub org referenced in the docs. No opaque downloads or extract steps are present in the skill bundle.
Credentials
Only a single required env var (BOT_TOKEN) is declared, which is appropriate for controlling a Discord bot. However, BOT_TOKEN is powerful: it can grant the bot full permissions configured in Discord. Passing tokens on the command line (discli init --token <token>) can expose them via shell history or process listings; prefer storing the token in an environment variable or a secure file. No unrelated credentials are requested.
Persistence & Privilege
The skill is not always: true and does not request system-wide configuration changes. It's user-invocable and allows autonomous model invocation by default (platform default). There is no evidence the skill attempts to modify other skills or system configs.
Assessment
This skill appears to do what it says: manage Discord servers via the discli CLI and requires a BOT_TOKEN. Before installing or running it, consider: 1) BOT_TOKEN is powerful—use a bot account with least privilege necessary and review the bot's permissions in the Discord Developer Portal. 2) Avoid passing tokens on the command line (discli init --token ...) because shell history and process lists can expose them; use the BOT_TOKEN environment variable or a secure secrets store. 3) Review the npm package and the GitHub repo (@ibbybuilds/discli) yourself before installing to ensure the published package code matches the repo and contains no surprises. 4) Be cautious with destructive commands (delete/kick/ban); SKILL.md mentions --confirm and --dry-run — use them. 5) The skill (and its persona) will read channel messages and audit logs as part of management tasks; if you need to limit reading or data exposure, restrict the bot's server permissions or avoid installing the skill. If you want a deeper assessment, provide the actual installed package contents (or the GitHub repo source) so the code can be inspected for unexpected network endpoints, logging, or token exfiltration.Like a lobster shell, security has layers — review code before you run it.
latestvk9750eff9wd7c3b415t0e2a0sh83fm64
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎮 Clawdis
Binsdiscli
EnvBOT_TOKEN
Primary envBOT_TOKEN