ClawHub

discord-soul

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate Discord-agent purpose, but it handles full-server message archives, Discord account credentials, third-party AI review, and recurring storage with weak safeguards.

Install only if you have clear authorization to export and retain the Discord server's messages. Treat the Discord token like an account password, restrict access to the SQLite database and generated memory files, exclude sensitive channels where possible, review Anthropic processing before enabling it, and do not rely on the advertised safety pipeline until the missing scripts and safe-only filtering are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly uses sensitive capabilities including reading environment variables, reading and writing local files, and making networked API calls, yet it does not declare permissions or prominently warn about them. This reduces transparency for operators and makes it easier to deploy a data-collecting workflow without understanding its access needs and risk surface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as creating a community agent, but the body also performs bulk Discord export, long-term storage of message history and metadata, third-party safety scanning, and periodic updates. That mismatch can materially understate the amount of surveillance, retention, and external data transfer involved, increasing the chance of unsafe or non-consensual deployment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script sends Discord message content to Anthropic for safety classification, which is a real data-exposure behavior beyond purely local processing. Even if intended for moderation, transmitting user-generated content to a third-party API creates privacy, consent, and data-governance risk, especially when the skill description does not clearly signal external safety scanning.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is explicitly designed to export full raw Discord conversations, including message content and associated metadata, into markdown files. That creates a durable secondary copy of potentially sensitive community data outside the original platform, increasing the risk of privacy violations, over-collection, accidental disclosure, and downstream misuse beyond what users may reasonably expect from a feature described as "memory."

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script explicitly ingests and persists significantly more data than core message memory alone, including roles, mentions, channel metadata, attachment details, and embed previews. In the context of a community-memory agent, this over-collection expands the privacy and surveillance surface and increases harm if the database is later queried, shared, or breached.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Storing attachment and embed URLs preserves direct references to files and external resources that may reveal private assets, internal links, or access patterns unrelated to conversational memory. For a Discord-derived agent, retaining these links creates unnecessary tracking and sensitive-data exposure risk beyond the stated purpose.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The script claims to perform 'LanceDB indexing (safe only)' but invokes the indexer without enforcing any visible safety-status filter at this layer. If the downstream indexer does not independently restrict records, flagged or unverified Discord messages could be embedded and made searchable, undermining the pipeline's safety guarantees and potentially exposing harmful, sensitive, or policy-violating content to later retrieval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to export, store, and continuously update Discord message archives, but it does not warn about privacy, consent, retention, access control, or legal/compliance obligations. Because this skill is designed to preserve community conversations as agent memory, the omission is more dangerous than in a generic data-processing tool: operators may ingest sensitive user content at scale without implementing safeguards.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell users how to extract a Discord authorization token from browser traffic and store it locally, but do not treat it as a highly sensitive credential. A leaked user token can enable unauthorized account access and broad server data extraction, making this far more dangerous than a normal API key setup.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to export entire guild history and store it locally without a clear privacy warning or consent guidance for collecting community conversations. That creates a real risk of over-collection, policy violations, and unintended disclosure of private or sensitive discussions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document instructs users to index full Discord message content, author names, and timestamps into a searchable vector database and automate that process via cron, but it does not warn about privacy, consent, retention, or access-control risks. In the context of a skill whose purpose is to 'remember every conversation,' this materially increases the chance of over-collection and long-term storage of sensitive community data, making unauthorized access, internal misuse, or policy violations more likely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide instructs users to export an Anthropic API key and send Discord-derived content to an external model service, but it does not warn about credential handling, data minimization, or the privacy implications of transmitting community messages off-platform. In a Discord-ingestion skill, this omission can lead operators to expose sensitive server content or mishandle long-lived API credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script exports an entire Discord server history using a user token and stores the resulting content in local JSON and SQLite files, but provides no consent checks, data-minimization controls, retention policy, access protections, or warning that the data may contain sensitive personal information. In the context of a tool that creates a persistent 'living agent' from community conversations, this increases the risk of overcollection, unauthorized retention, and secondary exposure of private or sensitive community data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Discord message content is sent to an external Anthropic API without any visible warning, notice, or consent mechanism in this code path. That creates a genuine privacy and compliance risk because sensitive user content may leave the local environment unexpectedly during safety evaluation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code writes complete conversation logs to markdown without any disclosure, confirmation prompt, or sensitivity checks at the point of export. Because Discord messages may contain personal information, private community discussions, credentials, or other secrets, silently exporting them to local files materially increases exposure risk if the host is shared, backed up, indexed, or later ingested by other tools.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This write path creates directories and persists day-by-day markdown files containing full conversation history, making large-scale extraction trivial when run with --all. In the context of a Discord community skill, this is more dangerous because it systematizes long-term archival of user communications in an easily readable format that may be copied, synced, searched, or exposed outside Discord's normal access controls.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script unconditionally deletes an existing output database when --append is not set, with no interactive confirmation, backup, or safety check. If the output path is misconfigured or reused, this can cause irreversible data loss and makes destructive mistakes easy during normal operation.

Ssd 3

High
Confidence
96% confidence
Finding
The skill's core design is to remember every conversation and embody the community by ingesting user-generated content into an agent persona. Even with injection filtering, this creates a broad data exposure channel where private speech, personal details, and harmful content can be surfaced or reproduced by the agent.

Ssd 3

High
Confidence
96% confidence
Finding
The skill explicitly captures full message content plus rich metadata such as reactions, roles, mentions, attachments, and embeds, which materially increases the sensitivity of the stored dataset. Combined with an answering agent, this can enable broad disclosure, profiling, and reconstruction of community activity far beyond what users expect.

Ssd 3

High
Confidence
97% confidence
Finding
Generating daily memory files with full conversation logs and attributed speaker histories creates durable, easily searchable artifacts of user speech for downstream model use. Those artifacts expand the blast radius of any compromise or misuse and make later leakage or unintended replay much more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal