Is jhillock/discord-doctor safe?

https://github.com/openclaw/skills/tree/main/skills/jhillock/discord-doctor

92
SAFE

The jhillock/discord-doctor skill is a documentation-only SKILL.md with no executable code, no prompt injection, and no data exfiltration behavior. The skill's installation was clean — only two expected files were added, no new network listeners or persistent connections were created, and all canary honeypot files remained intact and unmodified. The observed credential file accesses in monitoring telemetry are attributable to the Oathe audit framework's own pre/post canary integrity verification passes, not to any skill-originated code. Minor concerns exist around the skill's --fix mode, which describes running unpinned npm installs, executing npx at runtime, and performing destructive service/directory operations — these are low-severity risks inherent to any npm-based tooling that an agent should execute only with explicit user confirmation.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

LOW Auto-fix invokes npm install without version pinning -4

The skill's --fix mode instructs running 'npm install' to resolve missing dependencies like discord.js and strip-ansi. Without lockfile enforcement or pinned versions, a compromised npm registry entry could cause an agent to install malicious packages.

LOW Skill instructs execution of npx clawdbot configure -4

The OAuth re-authentication flow instructs running 'npx clawdbot configure', which fetches and executes the clawdbot npm package at runtime. An agent following this instruction without explicit user approval executes remotely-sourced code.

LOW Auto-fix performs destructive filesystem operations -8

The --fix mode can remove the com.clawdis.gateway.plist launchd service and move ~/.clawdis to ~/.clawdis-backup. These are irreversible operations (service removal) or hard-to-undo operations (directory move) that an agent should require explicit user confirmation before executing.

INFO Skill reads Anthropic OAuth token metadata -2

The skill describes checking OAuth token expiry status via 'clawdbot health'. This is within the stated diagnostic scope and does not instruct sending token contents externally. Noted as informational.

INFO Canary file accesses attributed to audit framework, not skill 0

Filesystem and auditd events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials accessed at timestamps 1771928911 (pre-install baseline, concurrent with 'ss -tunap') and 1771928929 (post-install verification). All accesses are CLOSE_NOWRITE — read-only. Canary integrity check confirms no modification. These accesses are consistent with the Oathe audit framework's own canary verification passes.