Skillv1.0.0

ClawScan security

Activity Notifier · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 1, 2026, 7:34 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill's declared purpose (broadcasting agent activity to a Discord channel) matches what its instructions and requirements request; there are a few small documentation inconsistencies but no signs of covert or unrelated access.
Guidance: This skill will post the agent's activity updates to a Discord channel using the channels.discord.token credential. Before installing: 1) Confirm channels.discord.token is a token you control and that it has limited permissions (prefer a bot token scoped to only send messages). 2) Use a dedicated, non-sensitive Discord channel to avoid leaking private data — agent messages can include context or error details. 3) Note the SKILL.md mentions an optional ACTIVITY_CHANNEL_ID env var that isn't declared in the registry; if you plan to override the channel, set and review that variable. 4) Test in a disposable channel first to ensure the messages and frequency meet your expectations and to avoid spam. 5) If you want stricter controls, restrict when the skill is invoked or require manual confirmation before sending updates.
Findings: [no_regex_findings] expected: Scanner found no matches; this is expected because the skill is instruction-only with no code files for static analysis.

Purpose & Capability: okThe skill's name, description, and runtime instructions all describe sending activity updates to Discord. The single required config path (channels.discord.token) is appropriate for that purpose.
Instruction Scope: noteSKILL.md instructs the agent to use the message tool to send concise status updates to a Discord channel. This scope is narrow and consistent, but you should be aware that any content the agent includes in these messages (including context, progress, or errors) will be posted to Discord and could leak sensitive information if not controlled.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk or downloaded. Low install risk.
Credentials: noteThe skill declares a required config path channels.discord.token (expected for Discord integration). SKILL.md also mentions an optional ACTIVITY_CHANNEL_ID environment variable but that env var is not listed in the registry requires.env — minor inconsistency. No unrelated credentials are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent presence or modify other skills. Normal privilege level for a notifier skill.