Back to skill

Security audit

Discord Context

Security checks across malware telemetry and agentic risk

Overview

This skill openly gives an agent persistent Discord bot-token access to read Discord history outside normal OpenClaw session visibility, which is powerful and under-scoped.

Install only if you intentionally want the agent to have ongoing access to a Discord bot token and to Discord history in every channel that bot can read. Use a dedicated bot with the minimum possible channel permissions, avoid write permissions, require explicit channel or thread IDs, remove the persistent token pointer when finished, and rotate the token after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to retrieve a Discord bot token from a local file and use it for direct API access. That is credential access and use beyond normal platform mediation, and it expands the agent's privileges to any Discord resources the bot can read or write, creating both secrecy and abuse risk.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The guidance admits the token has read/write access while only advising the agent to 'prefer' read-only calls. That is not an effective control: once the agent has the token, it can invoke any permitted Discord API action, so the document understates the real privilege and misuse risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup and usage steps direct handling of a live bot credential and accessing message history without clear, explicit warnings about privacy boundaries, channel access scope, consent, logging, and downstream data exposure to the agent. This increases the chance of users enabling broad surveillance-like access without understanding the consequences.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The skill is designed to bypass OpenClaw's session-based visibility model and read conversations the agent was not part of. That defeats an intentional access boundary and enables unauthorized collection of historical or out-of-context Discord communications.

Ssd 3

High
Confidence
97% confidence
Finding
The instructions combine secret retrieval with direct API calls to access message history outside normal visibility controls. This is a clear privilege escalation pattern: the agent is given a reusable credential that unlocks broader Discord access than its native environment intends.

Ssd 3

High
Confidence
98% confidence
Finding
The skill normalizes reading threads and channels the agent was not part of as expected behavior. In context, that makes the capability more dangerous because the stated purpose is to circumvent a built-in visibility boundary rather than support an authorized administrative workflow.

External Script Fetching

High
Category
Supply Chain
Content
DISCORD_TOKEN=$(cat ~/.openclaw/.discord-bot-token)

# Read recent messages from a channel or thread (threads are channels in Discord)
curl -s -H "Authorization: Bot $DISCORD_TOKEN" \
  "https://discord.com/api/v10/channels/{channel_or_thread_id}/messages?limit=50" \
  | python3 -m json.tool
Confidence
76% confidence
Finding
curl -s -H "Authorization: Bot $DISCORD_TOKEN" \ "https://discord.com/api/v10/channels/{channel_or_thread_id}/messages?limit=50" \ | python

External Script Fetching

High
Category
Supply Chain
Content
| python3 -m json.tool

# Read messages before a specific message ID (pagination)
curl -s -H "Authorization: Bot $DISCORD_TOKEN" \
  "https://discord.com/api/v10/channels/{channel_id}/messages?limit=50&before={message_id}" \
  | python3 -m json.tool
Confidence
76% confidence
Finding
curl -s -H "Authorization: Bot $DISCORD_TOKEN" \ "https://discord.com/api/v10/channels/{channel_id}/messages?limit=50&before={message_id}" \ | python

External Script Fetching

High
Category
Supply Chain
Content
| python3 -m json.tool

# List active threads in a guild channel
curl -s -H "Authorization: Bot $DISCORD_TOKEN" \
  "https://discord.com/api/v10/channels/{parent_channel_id}/threads/active" \
  | python3 -m json.tool
```
Confidence
74% confidence
Finding
curl -s -H "Authorization: Bot $DISCORD_TOKEN" \ "https://discord.com/api/v10/channels/{parent_channel_id}/threads/active" \ | python

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.