ClawHub

Discord Connect Wizard

v0.1.2

One-machine Discord bot onboarding wizard for OpenClaw. Use when setting up Discord for the first time (create bot, enable intents, invite to a guild, auto-w...

0· 491·2 current·2 all-time
by@gm4leejun-stack
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The stated purpose (bootstrapping a Discord bot into OpenClaw) matches the included code and instructions. However the package metadata declares no required binaries or primary credential, yet scripts call the local 'openclaw' executable and expect a browser automation tool. The skill will also accept/persist a Discord bot token and write OpenClaw config — those are appropriate for the purpose but the missing declaration of the 'openclaw' dependency is an incoherence.
!
Instruction Scope
SKILL.md instructs an agent to fully drive the Discord Developer Portal via a browser tool and to 'self-recover' (restart gateway/browser) on timeouts — giving the agent broad discretion over local actions. The runtime instructions and UI code request the bot token from the user, call Discord APIs, enumerate guilds/users, write config, restart the gateway, and approve pairing. All of these are within the stated onboarding scope, but the requirement that the agent open and control the Developer Portal (do not ask the user) and auto-retry/restart is operationally broad and should be understood prior to use.
Install Mechanism
There is no external install/download; this is instruction-plus-local-scripts only. No remote binaries or extracts are fetched. That minimizes supply-chain risk. The included Node scripts have no npm dependencies and run locally.
!
Credentials
The skill requests no environment variables in metadata, but the implementation invokes the local 'openclaw' command (execFile) and passes process.env to it. The skill will accept and handle a Discord bot token (a sensitive secret) supplied via the local UI. Requiring a bot token and restarting OpenClaw is proportional to the stated purpose, but the missing explicit declaration that the 'openclaw' binary must be present (and that the agent needs a browser automation capability) is an incoherence and should be corrected. Note: the code claims it will not log the token, but users must trust the included scripts and agent tooling to honor that.
Persistence & Privilege
The skill is not force-included (always:false) and uses normal autonomous invocation. It performs system actions (runs 'openclaw' to set config and restart the gateway) which are appropriate to onboarding but are privileged in that they modify local service state. This is expected for the purpose but worth noting: a malicious skill with similar privileges would have a wide blast radius, so ensure you trust the source.
What to consider before installing
This skill appears to implement an on-machine Discord→OpenClaw onboarding flow, but there are a few things to check before installing: - Confirm you have the local 'openclaw' CLI available: the scripts call 'openclaw config set' and 'openclaw gateway restart' but the skill metadata did not declare this required binary. If 'openclaw' is missing, the scripts will fail. - Understand the secret flow: you will paste your Discord bot token into a local UI; the script says it won't log the token, but you should inspect the included scripts (scripts/wizard.mjs) yourself or run them in an isolated environment to verify they don't transmit the token off-machine. - The agent is instructed to drive the Discord Developer Portal via a browser automation tool and to retry/restart on failures. If you enable autonomous agents or give them browser access, they can open sites and control the local browser — only grant that to agents/tools you trust. - Owner/homepage info is minimal (source unknown, homepage none). Prefer skills from known publishers or inspect the complete scripts before use. Recommended steps: review the two JS files locally, run the wizard in a sandbox or test environment first, ensure 'openclaw' is the expected CLI and that running it with process.env is acceptable, and verify that no network calls in the scripts send the token to unexpected endpoints. If anything is unclear, ask the publisher to explicitly list required binaries (openclaw) and the need for a browser automation tool in metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk97434nk4e038gzh0k4pp261d5824nee

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments