Discord

Security checks across malware telemetry and agentic risk

Overview

This is the official OpenClaw Discord plugin, and the sensitive Discord access it uses is coherent with running a Discord channel integration.

Install this only with a dedicated Discord bot token and permissions no broader than needed. Review action gates, guild/channel allowlists, DM policy, configWrites, thread bindings, approval destinations, and voice settings before enabling it; keep OpenClaw state and logs private because they may contain webhook tokens, approval command previews, and voice or audio transcripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This code reads a Discord bot token from configuration and the DISCORD_BOT_TOKEN environment variable, normalizes it, and returns the token value in the function result. Returning raw secrets from an inspection/helper routine materially increases exposure because any caller, logger, telemetry path, or downstream consumer can accidentally disclose or misuse the credential; for a Discord bot token, compromise enables full bot impersonation.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The function silently accesses process.env.DISCORD_BOT_TOKEN and includes the resolved secret in its returned object without any disclosure, consent boundary, or indication that environment credentials are being inspected. In a skill/plugin context, this is dangerous because environment variables often contain high-value credentials that users do not expect utility or account-inspection code to expose.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The approval UI intentionally includes `commandText` and optional secondary previews in Discord messages, which sends potentially sensitive shell commands, arguments, paths, tokens, or data references to a third-party platform. Even though this is part of an approval workflow, there is no evident masking, redaction, or explicit disclosure control before transmitting the command content, so sensitive operational details may be exposed to Discord recipients or retained in Discord logs/history.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This code logs transcribed Discord voice content, including speaker identity and transcript preview, to application logs. Voice transcripts can contain sensitive personal, business, or authentication-related information, so storing them without clear disclosure, minimization, or opt-in materially increases privacy and data-exposure risk if logs are accessed, retained, or forwarded to third-party observability systems.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The realtime path logs final user transcripts from live voice conversations, which may expose sensitive spoken content in near real time to logs and downstream log processors. Because this occurs in a live Discord voice context, users are less likely to expect their speech to be persisted in logs, making the privacy risk more acute.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: When the message contains an audio attachment but no typed text, this code automatically sends attachment URLs and inferred media types to a transcription runtime. There is no user-facing notice, consent check, or policy gate in this flow, so private voice content may be transmitted to another component or service unexpectedly, creating a privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The manager persists binding records to disk, and those records include sensitive metadata such as webhookId and webhookToken. Storing operational secrets on disk increases the risk of token disclosure through local compromise, backups, logs, or overly broad filesystem permissions, which could enable unauthorized message sending via the webhook.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This code retrieves and reuses stored webhook credentials without any visible controls around secret lifetime, rotation, or protection. If those cached tokens are exposed elsewhere in the application state or on disk, an attacker can reuse them to impersonate the integration and post messages into Discord channels.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest explicitly advertises that Discord can write configuration in response to channel events or commands, which creates a powerful state-changing capability reachable from a chat surface. In a Discord-integrated agent, this can enable unauthorized or socially engineered configuration changes, persistence, policy weakening, or privilege expansion if command authorization is imperfect or if users do not understand that chat interactions can modify system configuration.

VirusTotal

58/58 vendors flagged this plugin as clean.

View on VirusTotal