Back to skill

Security audit

Discord Hub My

Security checks across malware telemetry and agentic risk

Overview

The skill is a small Discord webhook helper whose file access and network call are disclosed and limited to sending a user-provided message to a configured Discord webhook.

Install only if you are comfortable storing a Discord webhook URL in the skill's local .env file and sending messages through that webhook. Keep the .env file private and trusted because this implementation sources it as shell code; do not use a .env file from an untrusted source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Credential Access

High
Category
Privilege Escalation
Content
DIR="$(cd "$(dirname "$0")" && pwd)"

# 读取 .env
if [ -f "$DIR/.env" ]; then
  set -a
  . "$DIR/.env"
  set +a
Confidence
89% confidence
Finding
.env"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.