Back to skill
Skillv1.10.5
VirusTotal security
Agent Discord · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:58 AM
- Hash
- de73e22a085754fc8553398b46e3d14eeaa9a3d7730f8b3f285410029ce3c624
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-discord Version: 1.10.5 The skill bundle provides a CLI tool designed to perform 'seamless' authentication by automatically extracting Discord session tokens from the desktop application's local storage (LevelDB) on macOS, Linux, and Windows. While the documentation in SKILL.md and references/authentication.md is transparent about this behavior and its potential violation of Discord's Terms of Service, the automated harvesting of sensitive session credentials from the filesystem is a high-risk capability identical to techniques used by credential-stealing malware. There is no explicit evidence of data exfiltration to a third party, but the tool's core functionality relies on sensitive credential access and local persistence in ~/.config/agent-messenger/discord-credentials.json.
- External report
- View on VirusTotal