Discord Onboarding

Security checks across malware telemetry and agentic risk

Overview

This is a manual Discord setup guide with sensitive but expected bot-token and permission steps that users should handle carefully.

Install only if you intend to connect OpenClaw to Discord. Treat the bot token as a password, keep it out of chat and shell history where possible, use the allowlist and requireMention settings, and grant only the Discord permissions and intents your server actually needs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill tells the owner to reset, copy, and store a Discord bot token in local configuration, but never explicitly warns that the token is a secret equivalent to full bot account control. That omission increases the chance the owner will paste it into chat, logs, shell history, screenshots, or insecure config storage, enabling account takeover of the bot and abuse of any servers it can access.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal