Skillv1.10.5

ClawScan security

Agent Discord · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 3:40 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (controlling a user's Discord account) is coherent with its files and scripts, but it omits and normalizes sensitive local credential access (automatic token extraction, plaintext credential storage, and mandated reading/writing of a persistent memory file) without declaring those config paths or making provenance clear — this mismatch and the implicit credential handling are concerning.
Guidance: This skill will extract your Discord user token from the desktop app and store it in ~/.config/agent-messenger/discord-credentials.json (plaintext), and it expects to read/write a persistent memory file (~/.config/agent-messenger/MEMORY.md) every run. Before installing or running it: 1) verify the package source (agent-messenger) and review its code on a trusted repo or npm page; 2) prefer using a bot token with scoped permissions rather than a user token (self-bots may violate Discord ToS); 3) if you proceed, run in an isolated account or VM, audit what the CLI writes under ~/.config, and ensure the credentials file is protected (chmod 600) and removed if you revoke access; 4) ask the publisher why config/credential paths are not declared in registry metadata and request a reproducible install provenance (package version, repository URL). The current mismatch between instructions and declared metadata is the main reason for caution.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (interact with Discord as the user) legitimately requires a user token and a CLI like agent-discord. However the registry metadata claims no required config paths or credentials while the SKILL.md and references explicitly instruct locating the Discord desktop app data, extracting the user token from LevelDB, and storing credentials at ~/.config/agent-messenger/discord-credentials.json — this undeclared local-file/credential access is an incoherence that reduces transparency.
Instruction Scope: concernSKILL.md and references explicitly instruct the tool/agent to extract tokens from the Discord desktop app (LevelDB Local Storage), to read a persistent memory file (~/.config/agent-messenger/MEMORY.md) at the start of every task using agent tools, and to write persistent memory. Those instructions involve accessing sensitive local files and credentials and directing the agent to read/write persistent state every run; this scope is broader than the registry metadata declares and contains potentially sensitive operations (automatic silent extraction).
Install Mechanism: noteInstall spec is a Node package (agent-messenger) that provides the agent-discord binary — using npm is expected for a CLI. The package is not pinned to a specific verified source in metadata and provenance isn't provided; installing an unpinned npm package from an unknown owner increases supply-chain risk and should be audited before installation.
Credentials: concernThe skill requests no environment variables, but it extracts and stores the user's Discord user token (sensitive credential) from local application storage and writes it plaintext to ~/.config/agent-messenger/discord-credentials.json. Storing user tokens in plaintext and performing automatic extraction without explicit declared config/credential requirements is disproportionate without clear user consent and provenance. The SKILL.md warns not to store tokens in memory files, but the tool itself will store them on disk.
Persistence & Privilege: noteThe skill does not request always:true and is not set to be omnipresent, which is good. However it instructs the agent to maintain a persistent memory file and to read it at the start of every task; that persistent local state is not declared in the registry config paths. The combination (persistent local files + credential storage) increases blast radius if the package or CLI is compromised.