ClawHub

Discrawl Search

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built to search local Discord archives, but its broad trigger and lack of built-in scoping or consent controls make private message exposure too easy.

Install only if you intentionally want your agent to search a local Discrawl Discord archive. Use explicit channel, author, and time filters, avoid broad searches over sensitive servers, and treat the shell SQL helper as unsafe for untrusted query text unless it is hardened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation text is very broad and can trigger on generic requests about prior discussions or historical messages, causing the agent to consult archived Discord data when the user may not realize local message archives are being searched. In a privacy-sensitive context, overbroad triggering increases the chance of unintended disclosure of historical guild conversations, including messages from channels or users the current request did not clearly scope.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not warn users that it accesses archived Discord message history from a local SQLite database, which creates a transparency and privacy risk. Users may believe the agent is answering from current context rather than retrieving stored historical conversations, leading to unexpected exposure of retained content, user identifiers, and potentially sensitive past discussions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script searches archived Discord message history and returns message contents, authors, timestamps, and channels without any built-in user notice, consent check, or access-control guard. Because the skill is explicitly designed to retrieve historical guild conversations, it can expose sensitive or private message data to users who may not realize archived content is being queried or who may not be authorized to access it.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal