ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Discord Doctor

v1.0.0

Quick diagnosis and repair for Discord bot, Gateway, OAuth token, and legacy config issues. Checks connectivity, token expiration, and cleans up old Clawdis artifacts.

1· 2.1k·2 current·2 all-time
by@jhillock
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Discord/Clawdbot diagnosis and cleanup) align with the checks and fixes described in SKILL.md. However registry metadata at the top says no required binaries/env, while the SKILL.md metadata declares required binaries (node, curl) — a mismatch. No source/homepage is provided, reducing auditability.
!
Instruction Scope
SKILL.md instructs the agent to inspect processes, check a local gateway (port 18789), run `clawdbot health`, interact with local config (~/.clawdis and ~/Clawdis), remove a launchd plist, move config directories, start/restart the gateway, and run `npx clawdbot configure`. These actions are coherent with its purpose but are destructive and potentially sensitive (file deletion/moves, process restarts, exposing local tokens). The instructions are vague about confirmation prompts, exact working directories for npm installs, and safety checks.
!
Install Mechanism
There is no install spec for the skill itself (instruction-only), but the runtime instructions call `npm install` and `npx`, which will download and execute packages from the network. That runtime download/execute behavior increases risk because it can fetch arbitrary code at the time the skill runs. The SKILL.md also references installing packages like discord.js and strip-ansi without scoping where or how (global vs project).
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However it will read and act on local configuration and OAuth tokens stored by Clawdbot/Clawdis (e.g., suggesting `npx clawdbot configure` to re-authenticate). Access to local token files/config is expected for the purpose but is sensitive; the skill does not declare or document exactly which files it will read.
Persistence & Privilege
The skill does not request always:true and has no install spec, so it does not demand permanent system presence. Autonomous invocation is allowed (platform default) but that alone is not a decisive risk. The SKILL.md's auto-fix behavior can modify user files and start/stop services, which are significant privileges at runtime but are within the stated repair scope.
What to consider before installing
This skill appears to be a local repair tool for Clawdbot/Clawdis and largely does what it says, but exercise caution before installing or letting it run autonomously. Specific things to consider before use: - The SKILL.md will perform destructive actions (remove ~/Library/LaunchAgents/com.clawdis.gateway.plist, move ~/.clawdis to a backup) and start/stop processes — ensure you have backups and understand those changes. - It runs npm install / npx at runtime, which can download and execute code from the network; prefer to run these commands yourself in a controlled environment first so you can inspect what will be installed. - Registry metadata is inconsistent (top-level metadata says no required binaries, embedded SKILL.md metadata requires node and curl). Confirm the runtime requirements and where commands will be executed (which directory, global vs project). - There is no source or homepage to audit. If you need to trust this behavior, ask the publisher for source code or run the SKILL.md steps manually on a test machine/VM before enabling autonomous invocation. - If you decide to use it, run initially without --fix to review diagnostics, and only run --fix after verifying the exact actions and confirming they are safe.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dr25hgxrgkthkynw2m8rpx57yv44t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🩺 Clawdis
OSmacOS · Linux
Binsnode, curl

Comments