The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructs the agent to programmatically access and extract sensitive credentials from environment files.
Evidence found in SKILL.md: grep DISCORD_TOKEN ~/.claude/discordmcp/.env and references to ~/Dev/tjr-suite/.env.
Accessing .env files to harvest tokens is a high-risk activity that exposes secrets directly to the agent's context.
[COMMAND_EXECUTION]: The skill relies on various shell commands to perform functions, including script execution, API calls, and build processes.
Evidence: Execution of node send-test-message.js, npm run build, and curl commands.
The manual script execution method (Method 2) provides a vector for running arbitrary local code, and the examples include generating and executing new scripts (multi-channel-send.js).
[DATA_EXFILTRATION]: The core functionality involves sending local data to external Discord API endpoints.
Evidence: curl -X POST "https://discord.com/api/v10/channels/CHANNEL_ID/messages".
While intended for Discord messaging, this capability can be misused to exfiltrate sensitive information retrieved from the local environment via the allowed tools.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads messages from external Discord channels.
Ingestion points: The mcp__discord__read-messages tool (Method 1) retrieves content from external text channels into the agent's context.
Boundary markers: The instructions lack delimiters or warnings to ignore instructions embedded within the retrieved messages.
Capability inventory: Across SKILL.md and examples.md, the agent has access to shell commands (node, curl), file read access (.env), and build tools (npm).
Sanitization: There is no evidence of validation or sanitization of ingested message content before it is processed by the agent.

discord-integration