Back to skill

Security audit

Discord Chat 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This Discord skill is instruction-only, but it documents broad and destructive Discord administration actions beyond its chat-focused description.

Install only if you are comfortable giving an agent access to a Discord bot that may read, post, edit, delete, and administer channels through the message tool. Limit the bot’s Discord permissions, avoid granting channel-management or deletion rights unless required, and require explicit user approval before edits, deletes, channel changes, webhook setup, or gateway configuration changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest advertises only send/reply/search behavior, but the body documents additional capabilities including read, react, edit, delete, and channel-management operations. This mismatch can mislead policy layers or users about the true authority of the skill, increasing the chance that the agent invokes broader Discord actions than expected, including destructive or privacy-impacting ones.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented actions allow creating, editing, moving, and deleting Discord channels, categories, threads, pins, and permission-related queries, which materially exceeds the declared skill scope of only sending, replying to, and searching messages. This scope mismatch is dangerous because an agent or integrator may trust the manifest and grant or invoke the skill in contexts where destructive administrative operations were not expected, enabling unauthorized server reconfiguration or disruption.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation exposes a `channel-list` capability that is outside the stated send/reply/search scope of the skill. That scope mismatch can mislead reviewers and users, and it enables channel enumeration that may reveal server structure and expand what an agent can discover beyond the declared intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation text is broad enough to trigger the skill for generic requests like checking Discord activity or interacting with channels, which can encompass sensitive reading, posting, editing, or deleting behavior. Overbroad routing raises the risk of unnecessary tool use, accidental data access, or selecting this skill when a safer or more limited workflow would suffice.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes a delete operation with no warning that it is destructive, irreversible in many workflows, and potentially harmful if mis-invoked by an agent. In this skill context, deletion is more dangerous because the same skill is broadly framed for general Discord interaction, making accidental or unjustified destructive actions more plausible.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The search guidance normalizes broad message and channel enumeration without warning about authorization, least-privilege use, or handling of sensitive content. In an agent context, this increases the risk of over-collection of private conversations, links, mentions, and user activity if the skill is used in channels the operator can access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.