Back to skill

Security audit

Discord Voice

Security checks across malware telemetry and agentic risk

Overview

This Discord voice skill is coherent, but needs review because shared voice audio can reach cloud speech services and the agent’s normal tools unless tightly restricted.

Review before installing on shared Discord servers. Set allowedUsers, avoid autoJoin in public channels, notify and get consent from participants, prefer local STT/TTS for sensitive conversations, and ensure the underlying OpenClaw agent requires approval for sensitive or state-changing tools triggered by voice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly requires environment secrets and external network access to Discord, STT, and TTS providers, but the manifest does not declare permissions for those capabilities. This creates a transparency and governance gap: operators may install the skill without understanding that it can access tokens and transmit audio/transcripts off-host to third parties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README clearly describes a workflow where users' spoken audio is recorded, transcribed, sent through an external agent/LLM, and then synthesized by third-party providers, but it does not prominently warn operators or end users about the privacy implications. In a voice-channel context, this can lead to uninformed collection and onward transfer of sensitive speech content, increasing the risk of accidental data exposure or policy noncompliance.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented autoJoinChannel option can cause the bot to enter a voice channel automatically on startup, and the plugin's normal behavior is to monitor for speech via VAD. Without an explicit warning, administrators may deploy always-on monitoring unintentionally, creating privacy and consent risks for people in the channel.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This skill processes live voice conversations and sends audio/transcriptions through external STT/TTS providers and the agent, but the description does not present a prominent privacy warning. In a voice-channel context, that omission is significant because multiple users may be recorded and have their speech relayed to third parties without clear notice or consent expectations.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest advertises real-time voice participation in Discord channels and the schema defaults the feature to enabled, while only offering optional constraints such as allowedUsers and autoJoinChannel. Without explicit activation boundaries, consent language, or exclusion conditions in the manifest, administrators may deploy a bot that can listen and respond more broadly than intended, increasing privacy and abuse risk in voice environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest lists multiple third-party STT/TTS providers and API keys but does not clearly warn that user voice audio and generated speech may be sent to external services. In a real-time Discord voice context, that omission can lead to uninformed collection and transmission of potentially sensitive conversations, creating privacy, compliance, and trust risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The plugin explicitly supports real-time voice conversations and multiple external STT/TTS providers, but the manifest does not present a clear user-facing disclosure that audio and derived text may be transmitted to third-party services. In a voice context, this creates meaningful privacy and consent risk because users may speak sensitive information without understanding where it is processed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code sends captured user voice audio to configurable external STT providers such as Deepgram, OpenAI, or other services, but there is no user-facing consent or disclosure check at the point of capture or transmission. In a real-time Discord voice context, this can expose sensitive spoken content to third parties without participants' knowledge, creating privacy, compliance, and trust risks.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill forwards generated text to external TTS providers to synthesize speech without any explicit notice to users that conversation content may leave the Discord environment. While lower risk than raw audio capture, responses can still contain sensitive or private information derived from user speech or agent context, so undisclosed third-party processing remains a privacy issue.

Known Vulnerable Dependency: hono==4.11.9 — 10 advisory(ies): CVE-2026-56762 (Hono missing validation of cookie name on write path in setCookie()); CVE-2026-47676 (Hono: app.mount() strips mount prefix using undecoded path, causing incorrect ro); CVE-2026-47675 (Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
hono==4.11.9

Known Vulnerable Dependency: ws==8.18.0 — 2 advisory(ies): CVE-2026-45736 (ws: Uninitialized memory disclosure); CVE-2026-48779 (ws: Memory exhaustion DoS from tiny fragments and data chunks)

High
Category
Supply Chain
Confidence
98% confidence
Finding
ws==8.18.0

Known Vulnerable Dependency: openclaw==2025.0.0 — 10 advisory(ies): CVE-2026-53846 (OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency); CVE-2026-32064 (OpenClaw's andbox browser noVNC observer lacked VNC authentication); CVE-2026-32006 (OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallbac) +7 more

High
Category
Supply Chain
Confidence
94% confidence
Finding
openclaw==2025.0.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.ts:156

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/streaming-tts.ts:56

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/stt.ts:38

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/tts.ts:49

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/config.ts:269

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/streaming-tts.ts:116

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/tts.ts:96

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
index.ts:158