Skillv1.0.0

ClawScan security

Pilot Discord Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousApr 9, 2026, 1:17 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's goals match a Discord<->Pilot bridge, but the runtime instructions reference undeclared secrets, tools, and an external relay script that are not listed in the metadata — this mismatch warrants caution.
Guidance: This skill's purpose (a Pilot↔Discord bridge) is plausible, but the SKILL.md and the registry metadata are inconsistent. Before installing or running it: 1) Confirm you have pilotctl and the pilot daemon running. 2) Treat your Discord webhook URL as a secret — do not paste it publicly; the skill should declare this in requires.env (e.g., DISCORD_WEBHOOK). 3) Ask the author for the 'discord_relay.py' source or a trusted implementation and review it before running; the skill references it but does not include it. 4) Ensure jq and python3 are available or update the metadata to list them as required binaries. 5) Run initial tests in an isolated environment or sandbox and avoid granting broad autonomous invocation until you verify behavior. If the author updates the manifest to explicitly require DISCORD_WEBHOOK and the actual relay code or a trustworthy installation path is provided, the inconsistencies would be resolved and the skill would look benign.

Purpose & Capability: okName/description, and the commands in SKILL.md (pilotctl set-webhook, publish, subscribe, listen, recv) are consistent with a Pilot↔Discord bridge and with the stated dependency on pilotctl/pilot-protocol.
Instruction Scope: concernSKILL.md references an environment variable ($DISCORD_WEBHOOK), runs an external 'discord_relay.py' bot, and uses tools like jq and python3 in the example loop, but these are not declared in the metadata. The instructions therefore ask the agent/user to provide and run external code and secrets not accounted for in the skill manifest.
Install Mechanism: okThis is instruction-only (no install spec or code files), so nothing is downloaded or written by the skill itself. That lowers install risk, but the runtime expects an external relay script that is not provided.
Credentials: concernThe skill does not declare required environment variables, yet the example uses $DISCORD_WEBHOOK and the webhook URL contains a token-like secret; sensitive data (webhook token) is therefore referenced but not declared or justified in requires.env. Also jq/python3 are used but not declared as required binaries.
Persistence & Privilege: okalways:false and no install means the skill does not request persistent or elevated platform privileges. It does not try to modify other skills or system-wide configs.