ClawHub

OpenCode Discord Thread

Security checks across malware telemetry and agentic risk

Overview

This skill appears to hand coding tasks to OpenCode and mirror detailed run content into Discord, which is useful but under-scoped for private repositories or sensitive prompts.

Install only if you are comfortable with coding prompts, execution details, errors, and possibly repository-derived content being posted to a Discord thread. Use it on non-sensitive repositories first, configure a private Discord destination, and avoid sending secrets or confidential code unless the skill adds explicit confirmation and redaction controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly requires sensitive capabilities including environment access, local file/repository access, shell execution, and network access to Discord/OpenCode, yet it does not declare permissions. This creates a governance and review gap: operators may invoke it without understanding that it can read local data, execute commands, and transmit content externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior expands beyond the stated purpose by creating new public Discord threads, posting transcript content after completion, and attaching to an existing OpenCode backend/session. That mismatch is security-relevant because users may consent to progress mirroring but not to session reuse, broader transcript disclosure, or creation of new externally visible collaboration surfaces.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the bridge to summarize OpenCode event output and mirror it into Discord, but the description does not prominently warn that prompts, execution details, repository context, diffs, errors, or other sensitive content may be transmitted to a third-party service. In this context, Discord is an external observer surface, so undisclosed exfiltration of development data is a real confidentiality risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The default prompt is broad enough that many ordinary coding requests could trigger this skill without the user explicitly intending to hand work to OpenCode or publish progress externally. In this skill's context, that broad activation is more dangerous because execution is coupled with mirroring activity into a Discord thread, creating both unintended delegation and unintended disclosure risk.

Vague Triggers

Medium
Confidence
96% confidence
Finding
Enabling implicit invocation without tight activation boundaries allows the agent to invoke this skill automatically based on loosely related coding-task language. Because this skill hands tasks to another system and mirrors run progress into Discord, unintended activation can expose task contents, code, or metadata to an external channel without a deliberate user decision.

Missing User Warnings

High
Confidence
98% confidence
Finding
The manifest description and prompt say progress will be mirrored to Discord, but they do not clearly warn that task details may be transmitted to an external third-party communication platform. In this context, the omission is especially dangerous because users may interpret 'mirror progress' as harmless status updates when it could include sensitive code, prompts, filenames, errors, or other operational data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script posts the prompt, recent event summaries, stderr snippets, and the extracted OpenCode transcript directly into a Discord thread. In a coding-agent workflow, those fields can contain source code, secrets, credentials, internal file paths, vulnerability details, or other sensitive repository data, and the skill provides no consent gate, redaction, or data-minimization controls before exfiltrating that content to a third-party service.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal