ClawHub

Sync Discord Identity

Security checks across malware telemetry and agentic risk

Overview

The skill openly syncs a Discord bot profile into local OpenClaw identity files, with some privacy considerations around storing Discord email or bio metadata.

Install only if you are comfortable letting the skill read the selected workspace's Discord bot token from openclaw.json and update local identity files. Before running it, verify the workspace path and avoid keeping email or bio in IDENTITY.md unless you intentionally want that data available to other tools or anyone who can read or share the workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly describes file reads/writes and outbound network access to the Discord API, but its manifest declares only required binaries and no explicit permissions model. In systems that rely on declared permissions for review, consent, or sandboxing, this creates capability mismatch and weakens users' ability to assess or constrain what the skill can do.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs persisting Discord profile fields including email and bio into IDENTITY.md, which is a durable workspace file likely to be read, indexed, shared, committed, or exposed to other tools. Email is sensitive account data, and even bio may contain personal or operational details, so copying it into a general identity document increases data leakage risk beyond the original API context.

Ssd 3

Medium
Confidence
94% confidence
Finding
The examples normalize inclusion of email in generated identity content, which encourages downstream agents or users to treat sensitive profile data as standard metadata to persist. Because examples strongly shape implementation behavior, this materially increases the chance of unnecessary disclosure of account information in files that may later be published or shared.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal