agent-discord

SUSPICIOUS. The messaging capabilities fit the stated purpose, but the skill's main auth model—silent extraction of Discord user tokens from desktop/browser storage—is disproportionate and high-risk. It also enables autonomous posting and file uploads on behalf of the user. Install path looks more like ordinary npm distribution than malware, but the credential-harvesting-style auth flow and broad account access make this skill risky.