Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
discord admin
v1.0.0Complete A-Z Discord server administration. Channel/role/member management, AutoMod, webhooks, templates, audit logs, scheduled events, threads, and full server control via CLI.
⭐ 3· 1.6k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims full Discord server administration and the included scripts implement that via the Discord API — capability matches purpose. However the package metadata declares no required environment variables or binaries, while the runtime clearly expects DISCORD_BOT_TOKEN (and optionally DISCORD_GUILD_ID) and the presence of curl and jq. That mismatch is an incoherence in the package description.
Instruction Scope
SKILL.md and the scripts instruct the agent to call Discord's API endpoints using a bot token and to run local CLI scripts. The instructions do not attempt to read unrelated system files or call external endpoints other than discord.com. They do, however, instruct the user/agent to export a sensitive DISCORD_BOT_TOKEN which is necessary for the stated functionality.
Install Mechanism
There is no install spec (instruction-only), which is lower-risk in principle. But the skill bundle contains two executable shell scripts. Because files are included, the agent/package will write these scripts to disk and users will run them; the package does not provide an install step or provenance for those scripts. That increases the need for manual review of the code before execution.
Credentials
The scripts require a DISCORD_BOT_TOKEN (and optionally DISCORD_GUILD_ID) — appropriate for a Discord admin tool. However the registry metadata lists no required env vars or primary credential. The omission is problematic because DISCORD_BOT_TOKEN is sensitive and should have been declared explicitly. No unrelated secrets are requested and network calls are only to Discord's API.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide configs. Autonomous invocation is allowed (platform default) but is not combined here with other high-risk factors.
What to consider before installing
This package implements a full Discord admin CLI and therefore needs a Discord bot token and command-line tools (curl, jq). Before installing or running it: 1) Do not paste your production bot token into an unfamiliar script — treat DISCORD_BOT_TOKEN as highly sensitive. 2) Because the registry metadata omits required env vars and binaries, manually inspect the included scripts (discord-admin.sh and discord-ctrl.sh) — they are provided in plain Bash and call only discord.com APIs, but you should still verify for unexpected network calls or backdoors. 3) Prefer using a test bot account with limited permissions (least privilege) when trying this out. 4) Run the scripts in an isolated environment (container or throwaway VM) if you can't fully audit them. 5) Ask the publisher for provenance or a signed release; absence of a homepage/source makes it harder to trust. If you want, I can summarize specific lines of the scripts or search them for suspicious network destinations or code patterns to help with the review.Like a lobster shell, security has layers — review code before you run it.
latestvk9704xynr4ank5chydpqscag2d80nnav
License
MIT-0
Free to use, modify, and redistribute. No attribution required.