discord-cli

Security checks across malware telemetry and agentic risk

Overview

This is a functional Discord CLI skill, but it can recover and store a Discord user-session token and build broad local message archives, so it should be reviewed carefully before use.

Install only if you intentionally want a local Discord archiver that uses your personal Discord user token. Run auth and sync commands only on accounts and machines you control, avoid saving tokens to a project .env, review what channels sync-all would collect, and do not use AI analysis on private messages unless you are comfortable sending that message content to the configured AI provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (23)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documents access to environment variables, local files, file writes, and networked Discord/API operations but declares no permissions. This creates a transparency and consent problem: an agent or user may invoke a skill with sensitive capabilities, including token handling and local database writes, without an explicit permission boundary.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented behavior goes beyond a normal chat-history CLI by auto-extracting Discord user tokens from local browser/Discord storage, validating them over the network, and saving them locally. User-token extraction is highly sensitive credential harvesting behavior; if misused or compromised, it can expose full account access and private server/message data.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The safety note says the token is never uploaded, but the skill also offers AI analysis features that require an external API key, implying some message content may be sent to a third-party model provider. This contradictory data-handling description can mislead users about what leaves the machine and increases the risk of unintentional disclosure of private Discord content.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This module's behavior is materially different from the stated skill purpose: instead of only supporting Discord chat/history operations, it searches local Discord and browser storage for authentication tokens and can persist them to a project .env file. That is credential-harvesting functionality, and in an agent skill context it is especially dangerous because it can silently obtain reusable Discord account secrets unrelated to the declared task.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: The code enumerates known browser and Discord client storage locations and regex-scans their LevelDB/log files for Discord tokens, which is classic credential access behavior. Extracted tokens can enable full account takeover, message access, impersonation, and abuse of any servers or bots tied to the compromised account.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill metadata describes read/search/sync/analysis capabilities, but this file also exposes a destructive `purge` command that deletes all stored messages for a channel. That mismatch is dangerous because an agent or user relying on the declared scope may invoke the skill without realizing it can irreversibly destroy local data, increasing the risk of accidental or policy-bypassing data loss.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The `auth` command extracts Discord user tokens from local browser/Desktop client state and can persist a recovered token to `.env`. That capability materially exceeds the stated skill purpose of fetching/searching Discord chats and introduces credential-harvesting behavior that could be abused to take over a Discord account.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The structured user payload includes sensitive profile attributes such as email, phone number, MFA status, premium status, and account creation metadata. Exposing this data by default expands data collection beyond the manifest's chat/query framing and increases privacy and targeting risks if output is logged, shared with agents, or exfiltrated.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Scanning the local system for Discord tokens is a credential-access capability unrelated to normal chat retrieval and effectively automates theft of existing session secrets. In an agent skill context, this is especially dangerous because a user or calling system may not expect the tool to inspect browser/client storage for reusable authentication tokens.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Writing a recovered Discord token into `.env` persists a powerful bearer credential in a commonly read, accidentally committed, or broadly accessible file. Persisting harvested credentials increases the blast radius of compromise and makes subsequent unauthorized reuse much easier.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: This client exposes account/profile lookup and guild member enumeration functionality that goes beyond the declared skill scope of chat history, channel sync, search, and AI analysis. In an agent context, extra data-access primitives expand what an LLM or downstream automation can collect, enabling unnecessary user profiling and broader privacy-impacting enumeration if the token is available.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The get_me function retrieves sensitive account attributes including email, phone, MFA status, and premium status, which are not necessary for basic Discord chat history/search operations. In an AI-agent setting, exposing this data to the tool layer creates avoidable privacy and account-security risk because the agent can access or leak high-sensitivity identity and security metadata.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code explicitly instructs users to obtain a Discord Authorization header from browser DevTools, which implies use of a personal user token rather than an OAuth2/bot token. This is dangerous because user-token harvesting bypasses Discord's intended auth model, risks account takeover if the token is exposed, and can violate platform terms while granting broad access tied to a real user account.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The documented purge command performs destructive deletion of stored data and is shown with a force/yes flag, but there is no explicit warning about data loss, scope, or recoverability. In agentic contexts, under-documented destructive commands increase the chance of accidental data deletion through automation or misunderstanding.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill collects sensitive authentication tokens and offers to persist them without any user-facing warning, consent gate, or provenance check. In an AI-agent setting, this makes covert credential theft and reuse much more dangerous because the user may believe the tool is only operating on Discord content, not harvesting secrets from local applications.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The history command fetches Discord messages and stores them in a local SQLite database by default, but the command text and flow do not clearly warn users that chat content will be retained on disk. This creates privacy and data-handling risk, especially on shared machines or when sensitive server conversations are copied locally without explicit informed consent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The sync command performs ongoing incremental collection of new Discord messages into local storage without a clear disclosure that local retention continues over time. Users may reasonably interpret 'sync' as transient retrieval, but this implementation builds a persistent message archive that could expose sensitive communications if the host is compromised or shared.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The sync-all command enumerates all accessible channels across guilds and stores fetched messages locally, creating a broad-scope archive of potentially sensitive conversations without an explicit warning or scoping confirmation. Because this operates across many channels and servers, the privacy impact is substantially greater than single-channel history collection and can lead to large-scale unintended local data accumulation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The structured output path returns sensitive account fields including email, phone, MFA status, premium type, and creation time without an in-band warning or explicit consent at the point of disclosure. In AI/agent workflows, structured output is commonly forwarded, logged, or stored, which raises the likelihood of unintended PII exposure.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This code accesses a highly sensitive credential and presents retrieval instructions without any visible warning about the risks of exposing a personal Discord token. In the context of an AI-agent-facing CLI, this increases the chance that operators will mishandle a user credential with broad account access.

Credential Access

High

Category: Privilege Escalation
Content: def save_token_to_env(token: str, env_path: Path | None = None) -> Path: """Save token to .env file.""" if env_path is None: env_path = Path.cwd() / ".env"
Confidence: 97% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: def save_token_to_env(token: str, env_path: Path | None = None) -> Path: """Save token to .env file.""" if env_path is None: env_path = Path.cwd() / ".env" lines = [] token_found = False
Confidence: 97% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: @cli.command("auth") @click.option("--save", is_flag=True, help="Save found token to .env automatically") def auth(save: bool): """Extract Discord token from local browser/Discord client.""" import httpx
Confidence: 96% confidence
Finding: .env

VirusTotal

VirusTotal engine telemetry is currently malicious for this artifact.

View on VirusTotal