ClawHub

Agent Discord

Security checks across malware telemetry and agentic risk

Overview

This Discord skill can extract and store your Discord user session token, then let an agent read and act broadly as your account.

Install only if you are comfortable giving this CLI access to your Discord desktop session token and letting an agent act as you. Prefer a scoped Discord bot or separate low-privilege account, require explicit confirmation before posting, deleting, uploading, acknowledging, monitoring, or exporting data, and protect or delete credential, memory, and snapshot files when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill description omits that it automatically extracts and locally handles Discord credentials from the desktop app. That is a sensitive authentication capability, and hiding it behind a general 'interact with Discord' description can mislead users and downstream policy systems about the true trust boundary.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented command set extends far beyond the declared scope, including DMs, relationships, notes, profiles, uploads, deletion, search, and server snapshots. This mismatch increases the chance that users or agents invoke privacy-sensitive or destructive actions without realizing the skill is authorized to do so.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Automatic extraction of Discord credentials from the desktop app is a highly sensitive capability, especially because it leverages existing logged-in state rather than a deliberate OAuth-style grant. In this context, the feature enables account-level access to messages, DMs, and server data with minimal user awareness.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The documented authentication flow instructs the tool to read Discord desktop LevelDB data, extract a user token, validate it, enumerate all joined servers, and persist the credential locally. That exceeds ordinary 'interact with Discord servers' behavior and introduces credential-harvesting capability against a highly sensitive local secret with account-wide access.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Reading Discord desktop storage to recover a user token is credential access behavior, not merely normal API authentication. Because the recovered token grants the same permissions as the user, compromise or misuse can lead to full account activity as the victim across all accessible servers.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Requesting or requiring full disk access so the tool can read Discord app data is disproportionate for a messaging-integration skill and materially expands the blast radius if the tool is abused or compromised. Even when framed as troubleshooting, normalizing elevated filesystem permissions around secret extraction increases the risk of broader local data exposure.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script writes the complete Discord snapshot to a timestamped local JSON file even though its stated purpose is only to generate a summary. That snapshot may contain server metadata, member identifiers, and recent message content, creating unnecessary local data retention and increasing the risk of disclosure from shared workstations, backups, logs, or accidental commits.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation says authentication happens silently in the background when any command is run, without a clear warning before stored tokens are accessed. Silent acquisition of credentials weakens user awareness and can lead to unexpected account access in contexts where the user only intended to run a harmless read-only command.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to persist server IDs, channel IDs, user IDs, and preferences across sessions without a clear user-facing notice or consent flow. Cross-session retention of communication metadata can create privacy risk and unexpected long-term accumulation of sensitive organizational context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide leads with automatic token extraction instructions before prominently warning that the process accesses local application storage, captures a user token, and grants full account access. This weak disclosure pattern can cause users to perform a highly sensitive action without understanding the security and policy implications.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The document operationalizes automation using Discord user tokens while only later noting that self-botting may violate Discord's Terms of Service. Encouraging a prohibited authentication model increases the likelihood of account takeover risk, token misuse, and suspension, especially since user tokens are more privileged and sensitive than bot credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This documentation repeatedly provides runnable examples that send messages, upload files, read server state, and switch servers, but it does not clearly warn users that these operations affect real external systems and shared Discord data. In an agent skill context, users may copy or invoke examples directly, increasing the chance of unintended posting, disclosure of server information, or actions against the wrong server.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently saves the full server snapshot to disk without disclosing that behavior in the header, usage text, or prompts. Undisclosed persistence is risky because users may run a read-only summary tool expecting ephemeral processing, while sensitive Discord data is actually stored locally.

Ssd 3

Medium
Confidence
92% confidence
Finding
The memory guidance explicitly tells the agent to record identifiers and user preferences across sessions. Even if message bodies and tokens are excluded, this still creates a durable map of servers, channels, users, aliases, and behavior that could be misused or leaked.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal