Latest release: v2026.5.28Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The package purpose is a Discord channel plugin for channels, DMs, commands, app events, optional voice, reactions, and Discord management actions; the examined capabilities match that purpose and are not disguised, but they are inherently high-impact.
Instruction Scope
Runtime behavior is scoped through Discord bot permissions plus plugin configuration for DM policy, group/channel allowlists, action gates, privileged intents, and voice settings; some advanced actions and audio processing require administrator attention.
Install Mechanism
The artifact is the trusted @openclaw/discord package, source-linked to openclaw/openclaw, with no npm install lifecycle script found and no VirusTotal detections.
Credentials
Discord API/gateway access, the DISCORD_BOT_TOKEN, optional proxy use, PluralKit API access, and optional audio transcription are proportionate to a Discord bot channel provider.
Persistence & Privilege
The plugin handles Discord bot tokens and can persist thread-binding state, including webhook tokens, under the OpenClaw state directory; this is purpose-aligned but should be treated as sensitive local state.
Scan Findings in Context
[SDI-2] expected: Status reaction rebinding is part of Discord reaction/tool-progress behavior and requires an explicit tool reaction path; it can affect Discord messages the bot can access, so operators should keep reaction and message actions scoped.
[SDI-2] expected: Audio attachment transcription is tied to Discord audio-only DM or mention-handling flows after channel access checks; it is expected for voice/audio support, but it may send attachment URLs to the configured media transcription runtime.
[SDI-4] unexpected: The category-overwrite permission concern appears to be an authorization edge-case or implementation mismatch, not evidence of deception or exfiltration; it should be fixed or documented upstream.
[SQP-2] unexpected: The account inspection path can return a resolved plaintext bot token to plugin callers; token use is necessary, but raw token exposure from an inspect API is broader than ideal and should remain confined to trusted host code.
[SQP-2] expected: The duplicate audio-disclosure concern reflects the same expected transcription feature; the risk is privacy disclosure and consent, not hidden unrelated data collection.
[SQP-2] expected: Thread binding persistence is expected for bound Discord thread delivery; storing webhook tokens in plaintext local JSON increases local-secret exposure but does not indicate remote exfiltration.
[SQP-2] expected: The top-level manifest description is terse, but the manifest and runtime expose DM policy, privileged intent, token, voice, action, and allowlist configuration; this is a documentation gap rather than malicious behavior.
Assessment
Install only for Discord servers where you are comfortable giving an OpenClaw bot access to messages, DMs if enabled, attachments, and optional voice/audio. Use the narrowest Discord bot permissions, keep DM policy restrictive, enable privileged intents and moderation/channel-management actions only when needed, protect the bot token and state directory, and tell server users when audio or private-message content may be processed.dist/manager.runtime-ClhnLsZf.js:95
Shell command execution detected (child_process).
dist/provider-DCcqVFp-.js:2318
Environment variable access combined with network send.
dist/pluralkit-DAZN3ZMK.js:11
File appears to expose a hardcoded API secret or token.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.