ClawHub

Codecast

Security checks across malware telemetry and agentic risk

Overview

Codecast has a real Discord streaming purpose, but it also enables high-impact remote control and unsafe autonomous agent setup that users should review before installing.

Install only if you are comfortable sending live development activity to Discord. Use private channels, protect webhook and bot tokens, restrict bridge channel and user IDs, avoid the Discord bridge for sensitive repositories, do not apply the global bypassPermissions/allow-all setting on normal machines, and avoid PR/parallel modes until the eval-based command construction is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (37)

Tainted flow: 'url' from os.environ.get (line 81, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
payload = {"content": msg, "username": name or agent_name}

    try:
        subprocess.run(
            ["curl", "-s", "-X", "POST", url,
             "-H", "Content-Type: application/json",
             "-d", json.dumps(payload)],
Confidence
85% confidence
Finding
subprocess.run( ["curl", "-s", "-X", "POST", url, "-H", "Content-Type: application/json", "-d", json.dumps(payload)], capture_output=True, tim

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and instructs use of shell execution, file reads/writes, environment-dependent setup, and process management, yet the manifest shown does not declare permissions for those capabilities. Undeclared capabilities reduce transparency and bypass expected trust boundaries, making it easier for operators to invoke a skill with broader access than they realize.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose frames the skill as passive streaming to Discord, but the referenced behavior includes inbound Discord control, process termination, session stdin injection, log inspection, PR checkout/review actions, and orchestration across repos. This mismatch is dangerous because users may authorize what appears to be observability tooling while actually enabling remote command-and-control and broader repository operations.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The Discord bridge exposes live control over local agent sessions from Discord, including sending arbitrary stdin to an agent and killing processes. If unauthorized users can reach the channel, bot, or allowed-user controls are misconfigured, this becomes a remote command-and-control path into sensitive local development workflows and can lead to prompt injection, data exfiltration, or destructive actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The setup explicitly instructs users to configure Claude Code with `defaultMode: bypassPermissions` and `allow: ["*"]`, which disables approval prompts and grants blanket tool access. In the context of a skill that relays coding-agent sessions and may be used during arbitrary agent runs, this materially increases the chance that a prompt injection, malicious dependency, or mistaken command can execute sensitive actions without any user confirmation.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The script silently retrieves a Discord bot token from environment variables, macOS Keychain, or a local file, despite the advertised behavior focusing on webhook-based relay. Accessing additional credentials increases the blast radius if the tool is misused, and users may not realize a higher-privilege token is being consumed.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script emits an OpenClaw system event unrelated to the stated Discord relay purpose, creating an undocumented secondary data egress path. Even though the message is short, it discloses agent name and working directory to another external system without clear user consent.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script's stated companion behavior adds inbound control from Discord into local agent sessions, which materially exceeds the advertised 'stream/observe' purpose of the skill. That turns a transparency feature into a remote command-and-control bridge: anyone who can message the watched channel within the allowed policy can influence local agent behavior and operations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`!kill` allows remote Discord messages to terminate local processes, giving channel participants operational control over the host. In the context of a streaming skill, this is unjustified privilege and can be abused for denial of service, disruption of development sessions, or termination of unrelated processes if session metadata is manipulated.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The bridge forwards Discord message content directly into agent stdin, enabling remote users to steer the coding agent, trigger tool use, and potentially cause file, shell, or network actions through the agent. Because the skill context is marketed as streaming/observability, this hidden control channel is especially dangerous: it converts passive monitoring into active remote execution influence.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script appends an instruction telling the coding agent to execute a local command, `openclaw system event`, when it finishes. Because task prompts come from a file and are sent to a highly privileged agent mode (`--dangerously-skip-permissions` / `--full-auto`), this expands the skill from passive streaming into active local command execution and creates an implicit execution sink that users may not expect.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This script does more than passively stream agent activity to Discord: with `-c`, it performs a GitHub write by posting a PR comment using the caller's authenticated `gh` credentials. That expands the skill's authority from observability into repository-side mutation, which can be abused to publish misleading content, spam PRs, or leak sensitive review output into GitHub.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Claude path invokes `claude -p --dangerously-skip-permissions` and the Codex path uses `--full-auto`, granting the coding agent broad autonomous execution in a workflow whose stated purpose is just streaming/reviewing. Because the prompt includes repository context and instructs the agent to run commands, a compromised or mistaken agent can execute shell actions, modify files, or trigger side effects well beyond read-only PR review.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly states that any text sent in the Discord channel during an active session is forwarded to the coding agent, but it does not prominently warn users that channel participants can inject commands or prompts into the agent. In this skill context, that omission is especially dangerous because the tool is designed for real-time interaction with a live coding agent, so unauthorized or accidental messages could trigger code execution, file modification, secret disclosure, or other unsafe agent actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The standalone design sends agent session data through a Discord webhook and receives input through the Discord gateway, but the documentation does not warn that agent output, commands, file paths, and possibly sensitive content will be transmitted to a third-party service. In this context, the skill is specifically meant to stream development sessions externally, so missing privacy and data-transmission warnings can lead users to expose proprietary code, secrets, or operational details without informed consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance uses broad trigger phrases like 'stream to Discord', 'relay agent output', and 'make dev sessions visible,' which can match routine collaboration requests and cause the skill to activate in contexts where users did not intend external transmission. Because this skill can expose live agent activity and potentially broader functionality, overbroad triggering increases the chance of accidental data disclosure or unsafe enablement.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is designed to stream coding-session contents, including tool calls, file writes, bash commands, and results, to Discord, but the description does not prominently warn users that sensitive code, secrets, paths, logs, or proprietary data may be disclosed to a third-party channel. In this context, omission of an explicit disclosure warning is especially dangerous because the whole purpose is outbound transmission of potentially sensitive development telemetry.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to operate a Discord bot token without highlighting that the token is a sensitive secret or that Discord messages may be forwarded into active agent sessions. This increases the likelihood of credential mishandling, accidental token exposure, and unsafe trust in chat-originated input controlling local processes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly states that detailed coding-session telemetry is streamed to Discord, including file writes, file reads, bash commands, command output, web searches, reasoning traces, token usage, and summaries. In a developer workflow, these artifacts can easily contain secrets, proprietary code, internal paths, credentials, or sensitive operational data; documenting this behavior without a prominent privacy warning or redaction guidance creates a real data-exposure risk, especially because the skill is specifically designed to externalize otherwise local agent activity.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file documents use of a Discord bot token and webhook URL stored in local files/environment variables, but gives no user-facing warning about secure storage, least-privilege configuration, or the consequences of token leakage. Because these credentials enable message posting and channel monitoring/bridging, poor handling could allow unauthorized access, spoofed messages, or broader disclosure of relayed session content.

Missing User Warnings

High
Confidence
99% confidence
Finding
These instructions disable Claude Code's permission safeguards without any warning about the security consequences, normalizing an unsafe configuration for end users. Because this skill is designed to observe live coding-agent sessions, users may run it in high-trust development environments where silent unrestricted actions could expose secrets, modify repositories, or execute destructive shell commands.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The start message posts the full invoked command to Discord, which can include prompts, repository paths, access tokens, API keys, or sensitive arguments. Because this happens automatically at session start, users may leak secrets before noticing the relay behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The post() helper sends arbitrary session content to Discord without any built-in warning, review step, or redaction. Since agent output can contain secrets, code, file contents, and prompts, this creates a high-likelihood accidental disclosure channel to a third party.

Missing User Warnings

Low
Confidence
83% confidence
Finding
Silently sourcing a bot token from env, Keychain, or disk is a transparency problem and can surprise users about what credentials are in use. While not exploitation by itself, hidden credential consumption can mask privilege escalation and complicate incident response.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Remote session termination occurs immediately from a Discord command with no secondary confirmation, local prompt, or warning about the destructive effect. This increases the chance of accidental or socially engineered session disruption and lowers the barrier to abuse when the channel or allowed-user settings are misconfigured.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal