ClawHub

Discord Connect UI

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Discord integration, but its installer can automatically patch, rebuild, and restart Clawdbot and does not fully undo all source changes.

Install only after reviewing the installer and running a dry run. Use --skip-build and --skip-restart until you are ready for operational changes, keep a backup of the Clawdbot source tree, use a dedicated least-privilege Discord bot token, prefer OpenBao or environment-based secret handling, and plan for manual cleanup if you uninstall.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill describes automatic installation steps that modify the host application, register RPC handlers, install UI components, and perform networked Discord integration, yet there is no declared permissions section warning the user about environment and network capabilities. This creates a transparency and consent problem: users may invoke the skill without understanding it can alter the local environment and communicate externally, which increases the chance of unsafe deployment or privilege misuse.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This is a real integrity/availability flaw: the runtime reads the Discord token from `config.channels?.discord?.botToken`, but `discordSetToken` saves the supplied credential into `channels.discord.token`. As a result, the newly saved token is never used by the rest of the handlers, causing persistent misconfiguration while misleading operators into believing the credential was updated successfully and the restart will apply it.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
This is a true vulnerability because the code tells the caller that the token was saved and will take effect after restart, but the restart cannot fix the issue when the token is written to an unused field. In an operational security context, false success messages around credential rotation can leave a service disconnected or still using an old secret, undermining incident response and credential management.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The hook automatically executes host-level shell commands for building, restarting services, and querying runtime status. Even though these commands support installation, they create side effects on the host without explicit approval and widen the trust boundary from 'install files' to 'operate the local system', which is risky for a plugin installer.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The uninstall path removes copied files but does not restore modified source files, despite claiming to restore backups. This can leave persistent code changes in the host application after removal, causing integrity issues, broken builds, or hidden residual functionality that survives uninstall.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installation section states the skill 'automatically installs all necessary components' but does not prominently warn that it will modify dashboard navigation, routing, RPC handlers, configuration, and restart the gateway. Because these are high-impact changes to the control plane of the application, omitting an explicit warning can mislead operators into approving broad system modifications they did not expect.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The schema defaults to a broad message-handling posture: `groupPolicy` defaults to `open`, while `requireMention` is only a separate boolean and may be overridden inconsistently at guild and channel scope. In a Discord integration skill, this can lead to the bot responding in server channels more broadly than operators expect, increasing the risk of unauthorized interaction, prompt exposure, spam amplification, and accidental data disclosure in public or semi-public spaces.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installer directly patches existing project files and writes new code into the host tree without an explicit confirmation gate. In the context of a plugin skill, this is dangerous because the skill modifies trusted application code and UI behavior automatically, increasing the chance of unauthorized or unnoticed persistence.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatically running build and restart subprocesses after install introduces immediate operational changes without prior confirmation. This can disrupt running services, trigger unexpected code execution paths, and make a risky install action harder for users to inspect or stop.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The uninstall hook deletes tracked files immediately without an explicit confirmation step. While file deletion is expected during uninstall, doing so silently can remove user-relied components or partially break the host application, especially since rollback of patched files is incomplete.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly requires enabling Discord's Message Content Intent but does not mention the privacy, compliance, and data-minimization implications of collecting user message content. In a bot-integration setup guide, this omission can lead operators to over-collect sensitive user data without informed consent, appropriate retention controls, or assessment of whether the intent is truly necessary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The troubleshooting guide tells users to pass a Discord bot token directly on the command line, which can expose the secret through shell history, process listings, terminal recordings, and shared logs. In an operational integration guide, this is a real credential-handling weakness because users commonly copy commands verbatim during setup and debugging.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The recovery procedure instructs users to delete local Discord state files with rm but does not warn that this permanently removes cached state and may disrupt service or erase locally stored integration metadata. In a troubleshooting document, destructive commands without clear data-loss warnings increase the risk of accidental damage during incident response.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal