discord
Fail
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill documentation explicitly supports the use of the 'file:///' protocol for the 'mediaUrl' parameter in several actions.
- Evidence: The instructions for 'emojiUpload', 'stickerUpload', and 'sendMessage' state that 'mediaUrl' supports local files using the 'file:///path' format.
- Risk: This capability allows an agent to read arbitrary local files from the execution environment. A malicious prompt or an indirect injection could trigger the agent to read sensitive files (e.g., credentials, private keys) and transmit them to a Discord channel.
- [PROMPT_INJECTION]: The skill architecture creates a significant surface for indirect prompt injection by processing untrusted data from Discord messages.
- Ingestion points: The 'readMessages', 'fetchMessage', and 'searchMessages' actions (SKILL.md) ingest external, user-controlled content into the agent's context.
- Boundary markers: Absent. The skill lacks instructions or delimiters to help the agent distinguish between system instructions and untrusted data within the messages.
- Capability inventory: The tool possesses high-privilege capabilities across multiple files, including message deletion, channel deletion ('channelDelete'), and user moderation ('timeout').
- Sanitization: Absent. There is no evidence of filtering or validation for the content retrieved from Discord.
- Risk: External users on Discord can craft messages that act as instructions, potentially tricking the agent into performing unauthorized moderation actions or disclosing internal information.
Recommendations
- AI detected serious security threats
Audit Metadata