ClawHub

Inspirai Project

Security checks across malware telemetry and agentic risk

Overview

This Discord project-management skill is mostly purpose-aligned, but it can expose your Discord bot token and can post or change project data with broad triggers.

Install only if you are comfortable giving the skill access to a Discord bot and project channels. Before use, remove or redact the helper's config output, use a least-privilege bot token, prefer explicit /project:* commands, review every Discord-bound message, and avoid putting confidential details in project descriptions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The `config` subcommand reads `~/.openclaw/openclaw.json` and prints the full Discord configuration, including the bot token, to stdout. Exposing a live bot token is a real secret-disclosure issue because any caller, wrapper, log collector, or other agent that can invoke this command can capture the credential and then impersonate the bot against the Discord API.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a read-only status viewer, but it also instructs the agent to modify `projects.json` and archive projects based on conversational phrases like “这个项目做完了” or “归档”. This creates a scope mismatch where a user may trigger a state-changing action while expecting only status retrieval, increasing the risk of unintended data modification.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include very generic terms such as '讨论一下', 'discuss', and 'project status', which overlap with normal conversation and can cause the skill to activate unintentionally. In this skill's context, accidental activation is more dangerous because the described actions include creating Discord threads, routing work across agents, and assigning tasks, potentially causing unintended external side effects.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The `config` path prints the token and channel mapping immediately with no warning, confirmation, masking, or access control. In an agent-skill context, stdout is often surfaced to users, other tools, transcripts, or logs, so this materially increases the likelihood of credential leakage and unauthorized Discord bot use.

Vague Triggers

High
Confidence
95% confidence
Finding
The manifest includes very broad trigger phrases such as '问问', '聊聊', 'discuss', and 'brainstorm', which can match ordinary conversation rather than an explicit command intent. This can cause unintended activation of the skill and route user content into Discord channels without sufficiently deliberate user action, increasing the risk of accidental data disclosure or workflow hijacking.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad enough to match ordinary conversation about projects, increasing the chance the skill activates unexpectedly. Because this skill reads local config, uses Discord bot credentials, creates remote threads, and writes persistent records, accidental invocation can cause unintended external actions and data disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs sending project names, agent lists, and user-supplied project background to Discord without prominently warning the user that their data will be transmitted to a third-party service. In a project-management context, those details may contain confidential roadmap, product, customer, or internal staffing information, so omission of a disclosure materially increases leakage risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill reads local configuration files that may contain Discord bot credentials and then persists project metadata to a local projects file, but it does not clearly warn the user about either behavior. Accessing secrets-bearing config and creating durable records expands the privacy and security footprint, especially on shared machines or environments with weak file permissions.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad and overlap with normal conversation, including phrases like “讨论一下” and “project status”, which can cause the skill to activate unintentionally. In a skill that reads local files and may perform follow-on actions, accidental invocation expands exposure of local data and increases the chance of unintended operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill reads `~/.claude/projects.json` and queries the Discord API, but it does not warn the user that local project data will be accessed and transmitted to an external service. This weakens informed consent and can expose project metadata, thread identifiers, or activity details in contexts where the user expected a simple local status check.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes updating `projects.json` to archive a project without warning that user data will be modified. Silent local state changes are dangerous because users invoking a status-related skill may not realize they are performing a write operation, which can alter workflow state or hide active projects.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill explicitly tells the agent to repost the user's original project idea into Discord thread messages, which can copy sensitive natural-language content verbatim to an external system. Free-form project descriptions often include confidential plans, internal names, customer context, credentials-by-mistake, or other secrets that are harder to sanitize after posting.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal