discord admin
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Discord administration CLI, but it gives an agent broad bot-token-powered control over a Discord server and the credential/dependency requirements are under-declared.
Install only if you intentionally want an agent to help administer a Discord server. Use a dedicated least-privileged bot token, start in a test server, confirm every destructive or public action yourself, and consider adding allowlists or dry-run checks before using it on a real community.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with a powerful bot token, the agent could make visible or destructive changes to a Discord server, including removing channels, moderating users, or posting messages.
The wrapper directly exposes high-impact Discord API mutations, including deleting channels, banning members, and posting messages. These are purpose-aligned, but the artifacts do not show built-in confirmation or containment for destructive or public actions.
cmd_channel_delete() { ... api_call "DELETE" "/channels/$channel" }
cmd_member_ban() { ... api_call "PUT" "/guilds/$guild/bans/$user" ... }
cmd_message_send() { ... api_call "POST" "/channels/$channel/messages" "$data" }Use a least-privileged bot, limit it to a test or specific server, require explicit user confirmation for destructive/bulk/public actions, and add dry-run or allowlist safeguards before using this in production.
A bot token with broad permissions can authorize server-wide changes; users may not get an accurate pre-install warning from the metadata alone.
The script uses a Discord bot credential for API authorization. The supplied registry metadata says there are no required environment variables and no primary credential, which under-declares the permission boundary for a full server-admin skill.
BOT_TOKEN="${DISCORD_BOT_TOKEN:-}"
...
-H "Authorization: Bot $BOT_TOKEN"Declare DISCORD_BOT_TOKEN and required Discord permissions in metadata, use the minimum bot permissions needed, avoid passing tokens on the command line, and rotate the token if it is exposed.
The skill may fail or require additional local tools that were not visible in the registry requirements.
The script depends on local curl and jq, but the registry requirements list no required binaries. This looks like incomplete metadata rather than hidden installation behavior.
command -v curl &> /dev/null || { log_error "curl required"; }
command -v jq &> /dev/null || { log_error "jq required (sudo apt install jq)"; }Declare curl and jq as required binaries and review the shell scripts before making them executable.