ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Discord History Reader

Read Discord channel and thread message history directly via the Discord Bot API, bypassing OpenClaw's session-based message visibility. Use when you need to...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 82 · 0 current installs · 0 all-time installs
byEason Chen@EasonC13
duplicate of @EasonC13-agent/discord-thread-reader
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name, description, and runtime instructions align: a Discord bot token is logically required to read channel/thread history via the Discord API. However, the registry metadata declares no required credentials or primaryEnv even though the SKILL.md explicitly requires storing and reading a bot token from disk. That mismatch is noteworthy.
!
Instruction Scope
SKILL.md instructs the user to create a token file (~/.openclaw/.discord-bot-token), set permissions, and have the agent read that file and call Discord endpoints via curl. The instructions are narrowly scoped to calling Discord API endpoints, but they intentionally bypass OpenClaw's redaction mechanism by placing the token in a file accessible to the agent — this grants the agent broader and persistent access than a simple transient session and could be used for actions beyond read-only calls (the doc even notes the token has read/write scope).
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes filesystem changes and direct supply-chain risks.
!
Credentials
The skill requires a Discord bot token (a high-privilege secret) but does not declare any required env vars or primary credential in the registry metadata. The recommended storage method (a file the agent can read) increases the token's exposure. While the token is necessary to perform the stated task, requesting it be stored in a file accessible to the agent is disproportionate compared with safer alternatives (e.g., platform secret storage, scoped read-only token, or an audited proxy).
!
Persistence & Privilege
The skill does not set always:true, but SKILL.md tells users to record the token file path in TOOLS.md so the agent can find it across sessions — effectively creating persistent, cross-session access. Combined with default autonomous invocation, that persistence increases the blast radius if the token is compromised or misused.
What to consider before installing
This skill will work as documented, but it asks you to create a file containing your Discord bot token that the agent can read — effectively giving any agent-run code that can access that file the same privileges as the bot (including sending messages if the token allows it). Before installing or using this skill, consider: 1) Use a dedicated bot with the minimal scopes (ideally only View Channel + Read Message History) and limit the bot to the specific guilds/channels required; 2) Prefer secure secret storage or OpenClaw-native credential mechanisms rather than a plaintext token file; 3) If you must use a file, restrict filesystem access tightly, keep it out of backups/git, and rotate the token frequently; 4) Remember agents can invoke skills autonomously by default — avoid recording the token path in globally-readable tool lists unless you trust all agents and users; 5) If you lack confidence about safe token handling, do not install — instead create a read-only proxy or ask platform maintainers for a vetted integration.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk976gpaxka3pn06abqkknwjs6x82ypp4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Discord Context

Problem

OpenClaw is session-based: agents only see messages from conversations where they have an active session. Discord threads that the agent wasn't mentioned in or hasn't interacted with are invisible — there's no built-in tool to read arbitrary channel/thread history.

Additionally, OpenClaw redacts the Discord bot token from openclaw config get and environment variables (by design), so agents cannot make direct Discord API calls using the configured token.

Solution

Store the Discord bot token in a separate file accessible to the agent, then use curl to call the Discord API directly.

Setup (one-time, run as the user)

# Store your bot token in a file outside the workspace (won't be git-committed)
echo 'YOUR_DISCORD_BOT_TOKEN' > ~/.openclaw/.discord-bot-token
chmod 600 ~/.openclaw/.discord-bot-token

Record the path in TOOLS.md so the agent knows where to find it across sessions.

Reading Messages

# Load token
DISCORD_TOKEN=$(cat ~/.openclaw/.discord-bot-token)

# Read recent messages from a channel or thread (threads are channels in Discord)
curl -s -H "Authorization: Bot $DISCORD_TOKEN" \
  "https://discord.com/api/v10/channels/{channel_or_thread_id}/messages?limit=50" \
  | python3 -m json.tool

# Read messages before a specific message ID (pagination)
curl -s -H "Authorization: Bot $DISCORD_TOKEN" \
  "https://discord.com/api/v10/channels/{channel_id}/messages?limit=50&before={message_id}" \
  | python3 -m json.tool

# List active threads in a guild channel
curl -s -H "Authorization: Bot $DISCORD_TOKEN" \
  "https://discord.com/api/v10/channels/{parent_channel_id}/threads/active" \
  | python3 -m json.tool

Finding Thread/Channel IDs

  • Enable Developer Mode in Discord: User Settings → Advanced → Developer Mode
  • Right-click any channel or thread → Copy Channel ID
  • Thread IDs and channel IDs work the same way in the API

Key Notes

  • Discord returns messages newest-first by default
  • Max limit is 100 per request; use before/after params to paginate
  • The bot must be a member of the guild and have View Channel + Read Message History permissions
  • Rate limits apply: 50 requests/second per route (respect 429 responses and Retry-After headers)

Response Fields

Each message object contains:

  • content — message text
  • author.username / author.global_name — who sent it
  • timestamp — when
  • id — message ID (for pagination or reply references)
  • referenced_message — the message being replied to (if a reply)

Security Considerations

  • The token file is chmod 600 and outside the git-tracked workspace
  • The bot token grants read/write access to all channels the bot is in — treat it like a password
  • Prefer read-only API calls; do not use this for sending messages (use OpenClaw's native routing instead)
  • If the token is rotated in Discord Developer Portal, update both openclaw config and the token file

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…