ClawHub

HypDiscordGOD

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Discord bot scaffolding skill, but generated ticket and dashboard starters need privacy and production-hardening review before deployment.

Install only if you are comfortable reviewing generated Discord bot and dashboard code before deployment. Use least-privilege Discord permissions, keep tokens and OAuth secrets out of source control, run scaffolds in a fresh directory, and add authentication, authorization, restrictive CORS, HTTPS, secure cookies, CSRF checks, and transcript/session retention controls before exposing any dashboard or ticket system publicly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill explicitly instructs the agent to inspect repositories, implement code directly, and work with Discord bots, dashboards, OAuth flows, webhooks, deployment, and worker systems. Those tasks inherently imply network and environment-variable access, yet the skill declares no permissions, creating a mismatch that can bypass least-privilege review and lead to unintended secret exposure or outbound actions when the skill is invoked.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The ticket transcript export persists users' message contents and attachment URLs to local disk, creating a privacy and data-retention risk if transcripts contain sensitive personal information, tokens, or confidential support details. In a Discord ticketing bot this is especially relevant because ticket channels often handle moderation issues, appeals, and private support requests, yet the code provides no notice, retention controls, access restrictions, or secure storage handling.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The notes explicitly describe exporting ticket transcripts to local files and capturing attachment URLs, but they do not mention user notice, consent, retention limits, or access controls. In a Discord ticketing context, transcripts often contain sensitive support conversations and attachment links, so omitting privacy guidance increases the risk of over-collection, unintended disclosure, and noncompliant data handling when downstream users implement the starter as written.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal