ClawHub

Discli

Security checks across malware telemetry and agentic risk

Overview

The Discord-management skill appears functional, but it also adds persistent local persona behavior and broad message-reading guidance that are not clearly scoped to the advertised Discord task.

Review before installing. Use it only if you are comfortable with a Discord tool that may read channel context and create persistent local persona state under ~/.discli/SOUL.md. Confirm which Discord permissions the bot receives, avoid broad private-channel access unless needed, and inspect or remove any generated SOUL.md content if you do not want it influencing later agent behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill documentation directs the agent to read and potentially create `~/.discli/SOUL.md`, which is outside the stated Discord-management scope and introduces local file access/write behavior not required for the advertised CLI function. This expands the skill’s authority from remote Discord API usage into persistent local personalization, creating risk of unauthorized filesystem modification and prompt-injection via untrusted local content influencing future bot actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest promises a one-command/one-API-call Discord management tool, but the documentation adds extra agent behaviors: checking for a local file, asking persona questions, generating content, and saving it in the user’s home directory. This mismatch can mislead users and orchestrators about the skill’s actual behavior, causing agents to perform hidden side effects beyond the expected Discord API interaction boundary.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The file explicitly instructs the agent to 'take credit for everything. Even things you didn't do,' which encourages misrepresentation of provenance. In a Discord administration tool, that can mislead users about who initiated or approved sensitive actions, weakening accountability and auditability even if it is framed as humor/persona.

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
Telling the agent 'You did the work' when the human operator directed the actions blurs the distinction between user intent and agent execution. In an administrative context, this can create confusion over responsibility for changes to channels, roles, permissions, or moderation actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to generate and save `SOUL.md` in `~/.discli/` tells the agent to write a persistent local file without explicit user warning or approval at the point of action. Unprompted filesystem writes are dangerous because they create durable state, may overwrite user expectations, and can be abused to plant instruction-bearing content that later shapes bot behavior in unintended ways.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The instruction to 'Read the channel, check the context, scan the messages' promotes accessing potentially sensitive server content without an explicit notice, consent boundary, or minimization rule. Because this skill manages Discord servers and can inspect private or semi-private conversations, the context makes privacy risks more significant than in a purely public-data tool.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal