Back to skill

Security audit

Discord History Reader

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about what it does, but it gives agents persistent bot-token access to Discord history outside normal OpenClaw visibility, so it needs careful review before use.

Install only if you intentionally want agents to read Discord history outside normal OpenClaw session visibility. Use a dedicated low-permission bot limited to specific channels, avoid granting send or moderation permissions, rotate the token if exposed, and require explicit approval for each channel or thread read.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to read a Discord bot token from a local file, which expands the skill from simple context retrieval into credential access and use. That token can typically access all channels the bot can read and may also allow write actions, so compromise or misuse exceeds the stated purpose of the skill.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a read-history utility, but its implementation relies on a general-purpose bot credential that the document itself admits has read/write access. This creates a capability mismatch where the operational behavior is far more powerful than the declared function, increasing the risk of privilege abuse or accidental misuse.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The document states only a preference not to send messages, while acknowledging the token can do more than read history. Advisory restrictions are not security controls, so an agent or downstream prompt could still use the same credential for message posting, moderation actions, or broader API access.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are broad and can activate in ordinary conversation, causing the skill to fetch Discord history outside the user's immediate session context. Because the skill reaches beyond normal visibility boundaries, loose activation criteria materially increase the chance of unintended sensitive data access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The instructions normalize reading and using a bot token without a strong runtime warning that the agent will access sensitive credentials and potentially broader Discord data. In this context, lack of prominent consent and disclosure is dangerous because the skill is specifically designed to bypass default session visibility controls.

Ssd 3

High
Confidence
98% confidence
Finding
The core purpose of the skill is to bypass OpenClaw's normal session-based visibility and retrieve Discord history from conversations the agent was not part of. That is a direct cross-boundary data access mechanism and can expose private or sensitive communications that platform controls were intentionally preventing the agent from seeing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.