ClawHub

Discord Event Planner

Security checks across malware telemetry and agentic risk

Overview

This is a small local event tracker that stores event data in an events.json file, but it does not actually integrate with Discord despite the Discord wording.

Install it only if you want a local CLI-backed event list. Do not assume it will create Discord events, post reminders, notify attendees, or enforce Discord permissions. Keep events.json in a trusted folder and double-check event IDs before canceling records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill describes reading from and writing to `events.json`, but the frontmatter declares no permissions. That mismatch can undermine a permission model by hiding persistent storage capabilities from reviewers or users, which is risky even though the file access appears limited to event data rather than arbitrary sensitive files.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill metadata promises Discord event planning and coordination, but the implementation only reads and writes a local JSON file and exposes no Discord integration at all. This is a security-relevant integrity issue because an agent or user may rely on the claimed capability, causing silent failure, misleading automation behavior, or unsafe assumptions about where event data is being created and managed.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module docstring labels the script as a 'Discord Event Planner', but the code only performs local filesystem-backed event storage and terminal output. Mislabeling functionality is dangerous because downstream systems, operators, or agents may trust the description and invoke the tool in contexts where actual Discord-side actions, permissions, logging, or notifications are expected but never occur.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal