ClawHub

Discord Hub My

Security checks across malware telemetry and agentic risk

Overview

This Discord skill mostly matches its purpose, but it needs review because its runnable scripts load local environment files too broadly and can post externally with limited disclosure.

Review before installing. Use only a Discord webhook you control, avoid putting unrelated secrets in this skill's .env file, inspect or replace the .env loader before running run.sh, and confirm the destination and message content before executing the sender.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sources a local .env file directly into the shell with `. "$DIR/.env"`, which does not merely read key-value pairs but executes any shell code present in that file. In a skill context, this is risky because credentials and configuration are commonly stored in .env, and a modified or malicious .env could run arbitrary commands before the intended action occurs.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script invokes another script named `discord_send.sh`, which by name and skill description likely performs an outbound network action to Discord. While not inherently malicious, triggering an external send operation without any warning, preview, or confirmation can cause unintended data transmission, especially when the message content may come from user input or automation.

Credential Access

High
Category
Privilege Escalation
Content
DIR="$(cd "$(dirname "$0")" && pwd)"

# 读取 .env
if [ -f "$DIR/.env" ]; then
  set -a
  . "$DIR/.env"
  set +a
Confidence
94% confidence
Finding
.env"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal