ClawHub

Post On Discord Channel

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for sending user-provided Discord webhook messages, and its external posting behavior is disclosed and aligned with its purpose.

Install only if you intend to let an agent post to Discord through webhook URLs. Review each destination webhook, avoid sending secrets or private files, restrict allowed_mentions unless broad pings are intentional, and rotate the webhook if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill advertises activation keywords such as "send," "webhook url," and "content," which are generic enough to match ordinary conversation and trigger this skill outside the user's intended context. In a tool that can transmit arbitrary messages and attachments to external Discord webhooks, over-broad routing increases the chance of unintended external posting or disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes rich messaging and file upload behavior but does not clearly warn users that message bodies, embeds, attachment contents, and mention targets are sent to third-party Discord webhook endpoints. This omission can cause users or upstream agents to pass sensitive data without understanding that it leaves the local environment and is delivered externally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The schema explicitly supports sending arbitrary message content, embeds, file attachments, and a Discord webhook URL to an external service, but it does not warn users that webhook URLs are sensitive credentials or that provided content/files will be transmitted off-platform. In an agent context, this increases the risk of accidental secret exfiltration, unintended disclosure of attachments, and misuse of a leaked webhook for spam or impersonation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal