ClawHub

Openclaw Discord 2026.5.26.Tgz

Security checks across malware telemetry and agentic risk

Overview

This official Discord integration is not shown to be malware, but it exposes live Discord credentials through an inspection API and includes broad Discord administration and voice-data handling that should be reviewed before use.

Install only if you are comfortable giving this plugin a Discord bot token with the permissions configured for that bot. Use the least-privileged bot role possible, disable unneeded actions such as channel management, moderation, voice, exec approvals, and thread bindings, avoid storing raw tokens in committed config, rotate any token that may have been exposed through logs or inspection output, and treat voice/transcript features as sensitive data processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This function reads the Discord bot token from process environment variables and returns the raw token in the inspection result. An account-inspection helper should report presence/status, not disclose live credentials, because any caller of this API can exfiltrate and reuse the bot token for full bot impersonation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The helper normalizes configured secret input and returns the actual Discord token value from configuration, stripping a Bot prefix but otherwise exposing the credential intact. This converts a status/inspection routine into a secret-retrieval primitive, which can be abused by downstream code to steal stored credentials.

Context-Inappropriate Capability

High
Confidence
84% confidence
Finding
This code exposes an execution-approval surface in Discord that can resolve approvals over a gateway, which is a sensitive privilege boundary because approval actions can authorize downstream exec operations. Even though approver checks exist, embedding privileged approval handling into a chat provider materially increases attack surface and makes any bypass, misconfiguration, or account compromise much more dangerous.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This file exports a wide set of Discord capabilities including channel management, moderation, permissions changes, message operations, webhook sending, media uploads, and voice features, creating a highly privileged control surface. In the absence of any visible authorization, scope restriction, or purpose limitation in this file, a caller that can invoke these functions could perform broad administrative actions across a guild.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code directly exposes timeout, kick, and ban operations for guild members and accepts attacker-controlled targets and optional reasons. If these functions are reachable from an agent workflow without strong policy checks, they enable arbitrary user moderation and service disruption against community members.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The file provides functions to create, edit, move, and delete channels and to set or remove channel permissions, which can reshape guild structure and revoke or grant access. Without embedded validation or business-rule enforcement, these operations could be abused to lock out users, expose private channels, or damage server organization.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code retrieves a sensitive Discord bot token from env/config and exposes it through a returned object without any access control, warning, or indication that secret disclosure is occurring. Even if intended for internal use, this lack of guardrails makes accidental logging, serialization, or plugin misuse much more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code logs transcribed voice content and agent responses, including speaker labels, guild/channel identifiers, and transcript previews. In a Discord voice context, that creates a real privacy and sensitive-data exposure risk because spoken content may contain secrets, personal data, or regulated information, and logs are often retained or accessible to operators beyond the conversation participants.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code writes captured voice audio to temporary WAV files on disk before transcription, which creates at-rest exposure of raw spoken content. Even though cleanup is scheduled, the files persist for up to 30 minutes and may be recoverable by other local processes, backups, crash artifacts, or forensic inspection if the host is shared or compromised.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This code automatically forwards audio attachment URLs to a transcription runtime when a message contains audio but no typed text, with no visible consent, notice, or policy gate in this file. That can expose private voice content and attachment URLs to downstream processing services, especially in direct messages where users may reasonably expect stronger privacy protections.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Message text and channel context are sent to a completion model to generate thread titles, but there is no user-facing notice or consent at the call site. This creates a privacy and data-governance risk because user content may be transmitted to an external model provider unexpectedly, especially in Discord channels where participants may not expect secondary AI processing for metadata generation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code performs a directory search for a user-provided identifier and then persists the resolved Discord user information locally via `rememberDiscordDirectoryUser` without any visible consent, notice, or policy enforcement in this flow. Even if intended to improve usability, silently resolving and storing user identities can create privacy and data-handling risks, especially if users do not expect lookups or local retention of handles and IDs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code persists binding state to disk and the binding record includes sensitive fields such as webhookId and webhookToken in metadata exposed through the record lifecycle. Persisting long-lived webhook credentials in plaintext application state increases the risk of token theft from local disk, backups, logs, or other processes on the host, which could enable unauthorized message posting into Discord channels/threads.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persists Discord thread-binding records to disk by copying entire records into JSON, and those records may include webhookToken values. Storing live webhook credentials in plaintext local state increases the risk of credential disclosure through local file access, backups, logs, or unintended artifact packaging, which could enable unauthorized message sending via the webhook.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal