ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pilot Discord Bridge

v1.0.0

Bidirectional bridge between Pilot Protocol and Discord servers. Use this skill when: 1. You need to send Discord notifications from Pilot agents 2. You want...

0· 0·0 current·0 all-time
byCalin Teodor@teoslayer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, and the commands in SKILL.md (pilotctl set-webhook, publish, subscribe, listen, recv) are consistent with a Pilot↔Discord bridge and with the stated dependency on pilotctl/pilot-protocol.
!
Instruction Scope
SKILL.md references an environment variable ($DISCORD_WEBHOOK), runs an external 'discord_relay.py' bot, and uses tools like jq and python3 in the example loop, but these are not declared in the metadata. The instructions therefore ask the agent/user to provide and run external code and secrets not accounted for in the skill manifest.
Install Mechanism
This is instruction-only (no install spec or code files), so nothing is downloaded or written by the skill itself. That lowers install risk, but the runtime expects an external relay script that is not provided.
!
Credentials
The skill does not declare required environment variables, yet the example uses $DISCORD_WEBHOOK and the webhook URL contains a token-like secret; sensitive data (webhook token) is therefore referenced but not declared or justified in requires.env. Also jq/python3 are used but not declared as required binaries.
Persistence & Privilege
always:false and no install means the skill does not request persistent or elevated platform privileges. It does not try to modify other skills or system-wide configs.
What to consider before installing
This skill's purpose (a Pilot↔Discord bridge) is plausible, but the SKILL.md and the registry metadata are inconsistent. Before installing or running it: 1) Confirm you have pilotctl and the pilot daemon running. 2) Treat your Discord webhook URL as a secret — do not paste it publicly; the skill should declare this in requires.env (e.g., DISCORD_WEBHOOK). 3) Ask the author for the 'discord_relay.py' source or a trusted implementation and review it before running; the skill references it but does not include it. 4) Ensure jq and python3 are available or update the metadata to list them as required binaries. 5) Run initial tests in an isolated environment or sandbox and avoid granting broad autonomous invocation until you verify behavior. If the author updates the manifest to explicitly require DISCORD_WEBHOOK and the actual relay code or a trustworthy installation path is provided, the inconsistencies would be resolved and the skill would look benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk979b4g40c5dpg027zkcf6q94s84gtmy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspilotctl

Comments