← 返回 Skills 市场
jolestar

Discord OpenAPI Skill

作者 jolestar · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
542
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install discord-openapi-skill
功能描述
Operate Discord HTTP API through UXC with Discord OpenAPI schema. Bot token recommended for full API access including messages and server management. OAuth2...
使用说明 (SKILL.md)

Discord API Skill

Use this skill to run Discord REST operations through uxc + OpenAPI.

Reuse the uxc skill for shared execution, auth, and error-handling guidance.

Prerequisites

  • uxc is installed and available in PATH.
  • Network access to https://discord.com/api/v10.
  • Access to Discord OpenAPI spec URL:
    • https://raw.githubusercontent.com/discord/discord-api-spec/main/specs/openapi.json
  • Discord bot token (recommended) or OAuth2 user authentication (limited functionality).

Authentication

Option 1: Bot Token (Recommended)

Bot token provides full access to Discord API including reading messages, managing servers, sending messages, and all administrative operations. This is the recommended method for most use cases.

  1. Create a bot application at https://discord.com/developers/applications
  2. Generate a bot token from the Bot section
  3. Configure bot credential:
uxc auth credential set discord-bot \
  --auth-type api_key \
  --header "Authorization=Bot {{secret}}" \
  --secret "YOUR_BOT_TOKEN_HERE"
  1. Bind credential to Discord API endpoint:
uxc auth binding add \
  --id discord-bot \
  --host discord.com \
  --path-prefix /api/v10 \
  --scheme https \
  --credential discord-bot \
  --priority 100

Option 2: OAuth2 User Authentication (Limited Use Cases)

Important: User OAuth2 has significant limitations and is not recommended for most operations:

  • ❌ Cannot read channel messages via HTTP API (local RPC only)
  • ❌ Cannot send messages or manage servers
  • ✅ Can read user profile, email, connections
  • ✅ Can list user's servers

Only use OAuth2 if you specifically need to access user profile information as the user. For all other operations, use Bot Token.

If you still need OAuth2 for user profile operations:

Configuration:

  • Client ID: 1479302369723285736
  • Redirect URI: http://127.0.0.1:11111/callback

OAuth2 Scopes:

Discord user OAuth2 supports read-only operations. It cannot send messages or manage servers as a user (use Bot Token for those operations).

Recommended Scopes (Full Functionality):

--scope "identify email connections guilds guilds.members.read messages.read openid"

Minimal Read-Only Scopes:

--scope "identify email connections guilds guilds.members.read"

Scope Reference:

Scope Description Write Operation
identify Basic user info (username, avatar, etc.) ❌ Read
email User's email address ❌ Read
connections Linked third-party accounts (Twitch, YouTube, etc.) ❌ Read
guilds User's server list ❌ Read
guilds.join Join user to servers (requires the same application's bot to already be in that guild) Write
guilds.members.read User's member info in servers ❌ Read
messages.read Read messages (local RPC only, not HTTP API) ❌ Read
openid OpenID Connect support ❌ Read

Note: User OAuth2 cannot send messages or manage servers as the user. Use Bot Token for write operations. guilds.join is a special user OAuth write capability that depends on the same application's bot already being in the target guild, so it is not part of the default read-only flow. See Discord OAuth2 documentation for complete scope list.

Two-Stage OAuth Flow (Agent-Friendly):

  1. Start OAuth flow with desired scopes:
uxc auth oauth start discord-user \
  --endpoint https://discord.com/api/oauth2/token \
  --client-id 1479302369723285736 \
  --redirect-uri http://127.0.0.1:11111/callback \
  --scope "identify email connections guilds guilds.members.read messages.read openid"

  1. Open the displayed authorization URL in browser, complete authorization, then copy the callback URL from browser address bar.

  2. Complete OAuth flow:

uxc auth oauth complete discord-user \
  --session-id \x3Csession_id_from_step_1> \
  --authorization-response "\x3Ccallback_url_from_browser>"
  1. Bind credential:
uxc auth binding add \
  --id discord-user \
  --host discord.com \
  --path-prefix /api/v10 \
  --scheme https \
  --credential discord-user \
  --priority 100

Interactive Alternative (Local Terminal Only):

uxc auth oauth login discord-user \
  --endpoint https://discord.com/api/oauth2/token \
  --flow authorization_code \
  --client-id 1479302369723285736 \
  --redirect-uri http://127.0.0.1:11111/callback \
  --scope "identify email connections guilds guilds.members.read messages.read openid"

Then paste the callback URL when prompted.

Core Workflow

  1. Use fixed link command by default:

    • command -v discord-openapi-cli
    • If missing, create it: uxc link discord-openapi-cli https://discord.com/api/v10 --schema-url https://raw.githubusercontent.com/discord/discord-api-spec/main/specs/openapi.json
    • discord-openapi-cli -h

  2. Discover operations with schema mapping:

    • discord-openapi-cli -h

  3. Inspect operation schema first:

    • discord-openapi-cli get:/users/@me -h
    • discord-openapi-cli post:/channels/{channel_id}/messages -h

  4. Execute operation:

    • connectivity check (no auth): discord-openapi-cli get:/gateway
    • key/value: discord-openapi-cli get:/guilds/{guild_id}/channels guild_id=GUILD_ID
    • positional JSON: discord-openapi-cli post:/channels/{channel_id}/messages '{"channel_id":"CHANNEL_ID","content":"Hello from uxc"}'
    • binding check when auth looks wrong: uxc auth binding match https://discord.com/api/v10

Authentication Methods Comparison

Feature Bot Token User OAuth2
Read channel messages ✅ Full access ❌ Not via HTTP API
Send messages ✅ As the bot ❌ Not supported
Manage channels/roles ✅ Bot permissions ❌ Not supported
Moderation actions ✅ Bot permissions ❌ Not supported
List servers ✅ Servers bot is in ✅ User's servers
Read user info ❌ Not available ✅ As the user
Message appearance Bot badge "BOT" N/A

Key Recommendation: Use Bot Token for almost all operations. User OAuth2 is only useful if you need to read user profile information as that specific user. For reading channel messages, managing servers, or sending messages, Bot Token is required.

Subscribe / Gateway Status

Discord inbound events flow through the Gateway WebSocket, not through this REST/OpenAPI surface.

Current uxc subscribe status:

  • the built-in discord-gateway transport now bootstraps through GET /gateway/bot
  • live Gateway sessions reached READY and delivered GUILD_CREATE
  • a real posted channel message produced a MESSAGE_CREATE event in the subscribe sink
  • heartbeat scheduling, IDENTIFY, sequence tracking, and reconnect handling are implemented

Recommended invocation:

uxc subscribe start https://discord.com/api/v10 \
  '{"intents":4609,"device":"uxc-discord"}' \
  --transport discord-gateway \
  --auth discord-bot \
  --sink file:$HOME/.uxc/subscriptions/discord-gateway.ndjson

Intent notes:

  • 4609 = GUILDS | GUILD_MESSAGES | DIRECT_MESSAGES
  • add 32768 (MESSAGE_CONTENT) only when the bot has that privileged intent enabled in the Discord developer portal

Use discord-openapi-cli for REST calls and uxc subscribe start ... --transport discord-gateway ... for inbound Gateway events.

Guardrails

  • OAuth2 Scope Limitation: User OAuth2 tokens cannot read channel messages via HTTP API, send messages, or manage servers. These operations require Bot Token authentication.
  • Discord OpenAPI spec is persisted in the generated link via uxc link --schema-url ...; pass --schema-url \x3Cother-url> only when you need to override it temporarily.
  • Keep automation on JSON output envelope; do not use --text.
  • Parse stable fields first: ok, kind, protocol, data, error.
  • Prefer positional JSON for non-string objects instead of --input-json.
  • discord-openapi-cli \x3Coperation> ... is equivalent to uxc https://discord.com/api/v10 --schema-url \x3Cdiscord_openapi_spec> \x3Coperation> ....
  • Treat post:/channels/{channel_id}/messages, delete/update endpoints, and moderation endpoints as write/high-risk operations; require explicit user confirmation before execution.

References

安全使用建议
This skill does what it says (wraps Discord API calls via uxc/OpenAPI) but you should be cautious before supplying credentials or using the provided OAuth client id. Recommendations before installing or using: - Prefer creating and using your own Discord application and bot token rather than reusing the hard-coded client id or any third-party client; that ensures tokens are issued to an app you control. The SKILL.md includes a client id but does not state who operates that OAuth app. - Treat a Discord bot token as highly sensitive: it can read and modify servers and messages depending on permissions. Only grant the minimum OAuth scopes / bot permissions needed (avoid MESSAGE_CONTENT and privileged intents unless absolutely necessary). - Use a secure secret storage mechanism (uxc secret support or your OS secret manager) rather than pasting tokens into command lines. Verify how uxc stores credentials locally. - Verify the origin and trustworthiness of the uxc binary (the skill assumes uxc is installed and will perform network calls). If you don't trust uxc, do not use this skill. - Review and understand the subscription sink location (it writes events to $HOME/.uxc/...) so you know where potentially sensitive event data will be stored. - If you are uncomfortable with autonomous invocation, restrict the skill from being called automatically or require manual confirmation before write operations. If you want a higher-confidence verdict, provide (a) who operates the OAuth client id embedded in the SKILL.md, and (b) whether uxc's credential storage keeps secrets encrypted and local — with that information I can reassess the level of risk.
功能分析
Type: OpenClaw Skill Name: discord-openapi-skill Version: 1.0.1 The skill provides a legitimate interface for interacting with the Discord REST API and Gateway via the `uxc` utility. It includes comprehensive documentation for authentication (Bot Tokens and OAuth2), provides clear usage examples in `SKILL.md` and `usage-patterns.md`, and incorporates security guardrails that instruct the agent to seek user confirmation before performing high-risk write operations. No evidence of malicious intent, data exfiltration, or unauthorized execution was found.
能力评估
Purpose & Capability
The skill's name and description match what the SKILL.md instructs: it uses uxc + the Discord OpenAPI spec to discover and call Discord REST endpoints. It does not request unrelated cloud credentials or binaries. However, the metadata declares no primary credential even though the runtime instructions recommend supplying a bot token (or performing OAuth), which is an inconsistency between declared requirements and actual runtime needs.
Instruction Scope
Runtime instructions ask the agent/operator to create credentials, bind them, and execute potentially high-impact API calls (reading messages, sending messages, server management, subscribing to the gateway and writing event streams to $HOME). The SKILL.md also supplies a hard-coded OAuth client id and redirect URI for user OAuth flows without explaining who owns that client — meaning authorizing via those flows would grant a third party access to the user's data. These behaviors are within the stated purpose but introduce privacy/privilege risks that the skill does not explain or justify.
Install Mechanism
This is instruction-only (no install spec). There is one helper script (scripts/validate.sh) used for local validation; it is simple and only checks presence/content of files and requires ripgrep. No downloads or arbitrary install steps are present in the package.
Credentials
The skill implicitly needs a Discord bot token or OAuth tokens to be useful, but the registry metadata lists no required environment variables or primary credential. The references show examples using an environment variable (DISCORD_BOT_TOKEN), and the SKILL.md recommends supplying a bot token (which grants full API privileges). The combination of (a) not declaring a main credential and (b) promoting use of a high-privilege bot token and an included third-party OAuth client id is disproportionate without clear guidance on ownership, minimal scopes, or storage practice.
Persistence & Privilege
The skill is not force-included (always:false) and does not request system-wide configuration changes beyond binding uxc credentials and optionally writing subscription output to a file in the user's home. Autonomous invocation (model can call the skill) is enabled by default but is not combined with other high-privilege flags (no always:true), so no extra persistence concern from metadata alone.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install discord-openapi-skill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /discord-openapi-skill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Add validated Discord Gateway subscribe guidance and transport-aware docs.
v1.0.0
Initial release of discord-openapi-skill: - Enables Discord HTTP API access via UXC using the official OpenAPI schema. - Supports both Bot Token (full access) and OAuth2 user authentication (limited use cases). - Provides detailed setup instructions for authentication, linking, and operation discovery. - Clearly documents OAuth2 limitations—cannot send/read channel messages or manage servers via HTTP API. - Includes guidance on safe API usage and distinguishes between high-risk write operations and safe reads. - References official Discord API documentation and OpenAPI resources.
元数据
Slug discord-openapi-skill
版本 1.0.1
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 2
常见问题

Discord OpenAPI Skill 是什么?

Operate Discord HTTP API through UXC with Discord OpenAPI schema. Bot token recommended for full API access including messages and server management. OAuth2... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 542 次。

如何安装 Discord OpenAPI Skill?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install discord-openapi-skill」即可一键安装,无需额外配置。

Discord OpenAPI Skill 是免费的吗?

是的,Discord OpenAPI Skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Discord OpenAPI Skill 支持哪些平台?

Discord OpenAPI Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Discord OpenAPI Skill?

由 jolestar(@jolestar)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论