Back to skill
Skillv1.0.0
ClawScan security
mee6 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 3:52 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper for sending Mee6 commands via the existing Discord messaging tool and its requested access (channels.discord.token) is consistent with that purpose.
- Guidance
- This appears to be a harmless, documentation-style skill that tells the agent how to format Mee6 commands and to use your existing Discord messaging credential. Before installing: 1) Verify the channels.discord.token stored in your system is scoped with least privilege (prefer a channel webhook or a bot token limited to the needed server/channel and actions). 2) Confirm the platform gating (channels.discord.actions.*) is configured so the agent cannot send Mee6 commands except when you explicitly request them. 3) Because the skill's source is 'unknown' and there's no homepage, prefer installing only if you trust the registry owner or after reviewing the skill text (it's short and readable). 4) Rotate the token if you suspect it was exposed and monitor Discord audit logs for unexpected Mee6 commands.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the skill is a thin documentation layer for sending Mee6-specific Discord messages. Requesting channels.discord.token (a Discord messaging credential) is consistent with posting commands to Mee6.
- Instruction Scope
- okSKILL.md only instructs the agent to use the platform's message tool with channel: "discord" to send Mee6 commands and to follow Mee6-specific syntax and gating. It does not request unrelated files, environment variables, or external endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only. Nothing is downloaded or written to disk by the skill itself.
- Credentials
- noteThe skill declares a required config path channels.discord.token which is appropriate for sending Discord messages. This token is sensitive — ensure it is scoped to only the permissions needed (prefer channel-limited webhook or bot token with minimal scope) and that the platform's gating controls are applied.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or cross-skill configuration changes. Agent autonomous invocation is allowed (platform default) but not a special privilege here.