ClawHub

Discord

Security checks across malware telemetry and agentic risk

Overview

This Discord skill is transparent about controlling a bot, but its default-enabled message, search, upload, and server-state actions are broad enough that users should review the setup carefully.

Install only if you trust the publisher and intend to let an agent act through your Discord bot. Limit the bot to specific servers and channels, disable unneeded discord.actions.* groups, keep roles and moderation off unless required, and require explicit approval before public posts, edits, deletions, pins, searches, file uploads, or member-affecting actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes destructive and moderation-capable actions such as deleting messages, changing roles, and applying timeouts, but it does not clearly warn users that these operations can alter server state or affect other users. In an agent setting, missing safety guidance increases the chance of accidental misuse, especially because the same skill also presents many benign messaging actions alongside the destructive ones.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill enables reading recent messages, searching messages, and inspecting member, role, channel, and voice information without any privacy warning or usage constraints. Because the tool operates with a configured bot token, an agent could access organizational or personal Discord data more broadly than a user expects, leading to privacy violations or over-collection of sensitive information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal