discord admin
v1.0.0Complete A-Z Discord server administration. Channel/role/member management, AutoMod, webhooks, templates, audit logs, scheduled events, threads, and full server control via CLI.
⭐ 0· 1.3k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name and description match the included scripts (they implement broad Discord admin actions). However the registry metadata declares no required environment variables or binaries, while both SKILL.md and the scripts require DISCORD_BOT_TOKEN (and recommend/disallow curl/jq). This mismatch between declared requirements and actual payload is incoherent.
Instruction Scope
SKILL.md and the two shipped Bash scripts instruct the agent/user to set DISCORD_BOT_TOKEN and then call the scripts which directly call the Discord API (https://discord.com/api/v10). The instructions do not reference unrelated system files or external endpoints besides Discord, but they do rely on an undeclared secret (DISCORD_BOT_TOKEN) and on running arbitrary shell scripts — the agent would be given broad discretion to perform destructive actions (ban, delete channels, edit roles) if the token is provided.
Install Mechanism
There is no install spec (instruction-only install), which minimizes installer risk. However the package includes two executable Bash scripts that will be run locally; the SKILL.md recommends chmod +x and executing them. The code is plain Bash calling Discord's API (no hidden download URLs), so install risk is moderate but requires manual review before execution.
Credentials
The skill requires a high-privilege secret (a Discord Bot token) to function, and optionally DISCORD_GUILD_ID, but the registry metadata lists no required env vars or primary credential. Requesting an undeclared token is a red flag — the skill would gain full programmatic control over any guild the bot is in, so the lack of explicit credential declaration is disproportionate and misleading.
Persistence & Privilege
The skill does not request persistent platform privileges (always is false), does not modify other skills or system-wide config, and contains no installation step that creates persistent background agents. It runs as a user-invoked CLI, which is appropriate for its purpose.
What to consider before installing
Do not supply a Discord bot token until you verify the source and review the scripts yourself. The scripts will accept and use DISCORD_BOT_TOKEN (and may use DISCORD_GUILD_ID) but the skill metadata doesn't declare those requirements — that's an inconsistency. Before installing or running: (1) inspect the full scripts for any unexpected remote endpoints or obfuscated behavior (they appear to call only discord.com/api/v10), (2) run them in an isolated or test environment (a disposable bot in a test server) with minimal permissions, (3) confirm you trust the publisher (no homepage/source listed), and (4) ask the maintainer to update the metadata to explicitly declare required env vars and binaries (curl, jq). If you need stronger assurance, prefer a verified/known source or run equivalent functionality from official SDKs you trust.Like a lobster shell, security has layers — review code before you run it.
latestvk97erp7pkhk0dj1tzscnjtjyns80nb71
License
MIT-0
Free to use, modify, and redistribute. No attribution required.