ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

discord-bot

v1.0.0

Send messages to Discord

0· 68·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (send messages to Discord) is plausible, but the skill provides no code or install and the manifest does not declare the DISCORD_API_KEY it tells you to set. A Discord integration would legitimately need a token, but the package should declare that and include code or a trusted install source; this skill does neither.
!
Instruction Scope
SKILL.md instructs the agent/user to run `python3 scripts/discord_bot.py --input ...` and to set DISCORD_API_KEY. No scripts/ files are shipped and the declared requirements list no env vars. The runtime instructions therefore refer to files/credentials that are not present or declared, which is incoherent and could cause someone to supply secrets to an unknown implementation.
Install Mechanism
Instruction-only skill with no install steps and no code files; this is lower risk than an installer that downloads arbitrary code. However, the absence of shipped code combined with runtime instructions that expect a script is inconsistent.
!
Credentials
The SKILL.md explicitly requires DISCORD_API_KEY, but the skill metadata lists no required env vars or primary credential. Requesting a Discord token is reasonable for the stated purpose, but not declaring it in metadata and providing no code to audit is disproportionate and suspicious.
Persistence & Privilege
The skill does not request always:true and uses default invocation settings. It does not ask to modify other skills or system-wide settings in the manifest.
What to consider before installing
Do not provide secrets or install this skill as-is. Ask the publisher for the source repository or packaged code, and require that the skill declare its required env vars in metadata. Verify the python script referenced (scripts/discord_bot.py) exists and inspect it before running. If you must test, run in an isolated environment and use a Discord token with minimal permissions (a throwaway/test bot account), not your primary account token or highly-privileged credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dzswyqt8fhnpgsc5n1g2cz983kv8n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments