Skillv1.0.0

ClawScan security

Agent Swarm Kit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 2:07 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The instructions, templates, and config snippets are consistent with the stated goal (coordinating multiple OpenClaw agents in a Discord channel); nothing requested or prescribed is disproportionate to that purpose.
Guidance: This skill appears coherent and focused on coordinating multiple OpenClaw agents via Discord. Before installing: (1) note the skill's source is unknown — prefer installing community skills from trusted publishers; (2) provision separate Discord bot accounts/tokens as instructed and store those tokens securely (do not paste tokens into public places or repos); (3) restrict bot permissions to the minimum needed (View, Send, Read History) and test swarming in a private/test server to avoid accidental loops or spam; (4) follow the provided loop-prevention rules and consider adding rate limits or slow mode on the channel; (5) audit logs and revoke tokens if behavior is unexpected. If you want higher assurance, ask the publisher for a verified homepage or a git repo so you can review provenance and any updates.

Review Dimensions

Purpose & Capability: okThe name and description match the content: setup patterns for multi-agent collaboration on Discord. The skill does not request unrelated binaries, cloud creds, or external services. The examples legitimately show needing separate Discord bot accounts/tokens and agent config changes, which are appropriate for the stated capability.
Instruction Scope: noteSKILL.md instructs editing agent configs (OpenClaw JSON, SOUL.md) and placing Discord bot tokens/account bindings into those configs — actions that change local agent configuration and require secret bot tokens. This is within scope for running multi-agent swarms, but it does mean you must provide and manage bot credentials and modify agent files. The guide also warns about loop prevention and provides rules; still, misconfiguration could cause agent message loops, so test in a private server first.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This minimizes disk-write and supply-chain risk.
Credentials: noteThe registry metadata declares no required env vars, but the instructions require you to supply Discord bot tokens / account bindings in agent configs. That is proportionate to the functionality (agents need bot accounts to post), but users should be aware the skill presumes storing and using secrets (bot tokens) in agent configuration; the skill does not itself request or manage any unrelated credentials.
Persistence & Privilege: okThe skill is not always-enabled, does not request elevated platform privileges, and does not attempt to modify other skills or system-wide settings. It only prescribes edits to the installing user's agent configuration files, which is expected for this feature.