ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Discord Hub My

OpenClaw skill for Discord Bot API workflows, covering interactions, commands, messages, and operations using direct HTTPS requests.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.3k · 5 current installs · 5 all-time installs
by@ingejanben268
fork of @codedao12/discord-hub (based on 1.1.0)
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill describes Discord Bot API workflows (bot tokens, interaction public key, application ID) and REST request templates — that purpose is plausible. However the included scripts implement only a simple webhook sender (requires WEBHOOK_URL), and the registry metadata lists no required env vars or primary credential. There is thus a mismatch between the stated capability (full bot operations using tokens) and the actual code (webhook-only).
!
Instruction Scope
SKILL.md instructs the agent/operator to provide bot tokens, application ID, and interaction public key and references signature verification and rate-limit handling, but the runtime files do not implement those behaviors. The run.sh sources a .env file from the skill directory (it will load any environment variables placed there). The instructions give broad guidance but do not match the code, granting the agent/operator ambiguous discretion about where/how to supply secrets.
Install Mechanism
No install spec; this is instruction-only with two small shell scripts. Nothing is downloaded or written by an installer, which minimizes install-time risk.
!
Credentials
Registry metadata declares no required env vars, yet SKILL.md asks for sensitive credentials (bot token, application ID, interaction public key). The actual scripts expect WEBHOOK_URL (not declared). run.sh auto-sources a local .env, which could cause accidental loading of unrelated secrets if a user drops a .env containing other credentials into the skill folder. The mismatch between declared requirements and actual env usage is a red flag.
Persistence & Privilege
always is false and there is no install; the skill does not request persistent system privileges or modify other skills. It only contains small scripts that execute when run.
What to consider before installing
This package is inconsistent: the README asks for bot tokens and interaction keys but the code only uses a WEBHOOK_URL and sources a local .env. Before installing or running: 1) Ask the publisher to clarify which credentials are actually required and to declare them in registry metadata. 2) Inspect any .env file you might place in the skill directory — do not reuse a file that contains unrelated secrets. 3) If you only need webhook posting, prefer supplying a dedicated webhook URL with least privileges; do not supply your Bot token unless the skill explicitly needs and documents how it will be used. 4) Run the scripts in a sandboxed environment (or review/modify them) to ensure they don't load unexpected secrets or call remote endpoints you don't control. 5) Note the metadata/manifest inconsistencies (ownerId/slug differences) and prefer skills with clear provenance. If the author cannot explain the mismatches, treat the package with caution or avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97ck82sh4azt9rf459a7s19y580ntat

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Discord Bot API Skill (Advanced)

Purpose

Provide a production-oriented guide for building Discord bot workflows via the REST API and Interactions, focusing on professional command UX, safe operations, and direct HTTPS usage (no SDKs).

Best fit

  • You want command-first bot behavior and clear interaction flows.
  • You prefer direct HTTP requests without a library dependency.
  • You need a structured map of Discord API surfaces.

Not a fit

  • You need a full SDK or gateway client implementation.
  • You plan to stream large media uploads directly.

Quick orientation

  • Read references/discord-api-overview.md for base URL, versioning, and object map.
  • Read references/discord-auth-and-tokens.md for token types and security boundaries.
  • Read references/discord-interactions.md for interaction lifecycle and response patterns.
  • Read references/discord-app-commands.md for slash, user, and message commands.
  • Read references/discord-messages-components.md for messages, embeds, and components.
  • Read references/discord-gateway-webhooks.md for gateway vs webhook tradeoffs.
  • Read references/discord-rate-limits.md for throttling and header-based handling.
  • Read references/discord-request-templates.md for HTTP payload templates.
  • Read references/discord-feature-map.md for the full surface checklist.

Required inputs

  • Bot token and application ID.
  • Interaction endpoint public key (if using interaction webhooks).
  • Command list and UX tone.
  • Allowed intents and event scope.

Expected output

  • A clear bot workflow plan, command design, and operational checklist.

Operational notes

  • Prefer interactions and slash commands over prefix parsing.
  • Always validate incoming interaction signatures.
  • Keep payloads small and respond quickly to interactions.

Security notes

  • Never log tokens or secrets.
  • Use least-privilege permissions and scopes.

Files

13 total
Select a file
Select a file to preview.

Comments

Loading comments…