Is kn71gxkg16twyqz5wzkvt61sh17yjnpd/discord-doctor safe?
https://github.com/openclaw/skills/tree/main/skills/kn71gxkg16twyqz5wzkvt61sh17yjnpd/discord-doctor
Discord Doctor is a documentation-only diagnostic skill (SKILL.md + _meta.json) with no executable code, no prompt injection patterns, and no malicious data exfiltration mechanisms. The installation was clean: only GitHub was contacted for the git clone, no canary files were accessed by the skill itself (pre-install accesses are temporally attributable to the audit harness's own canary baselining), and no unexpected processes or persistent network connections were established. The primary risk vectors are the --fix mode's broad system modification scope (npm install without lockfile, launchd service deletion, config migration), and the surfacing of Anthropic OAuth token state into agent context — both are within the skill's documented purpose but warrant user awareness before deployment.
Category Scores
Findings (6)
LOW System-modifying instructions expand agent authority scope -10 ▶
When injected into the agent system prompt, this skill normalizes agent execution of process management, npm package installation, launchd service deletion, and config directory migration. While within the skill's stated purpose, this implicitly widens the set of operations the agent considers routine, which could be exploited by subsequent prompt injection attacks that reference the skill's established precedents.
LOW Anthropic OAuth token validity surfaced in agent context -10 ▶
The skill checks and displays the user's Anthropic OAuth token validity and remaining lifetime (e.g., 'Valid (expires in 0h 45m)'). This sensitive authentication state is surfaced into the agent's working context. A co-resident malicious skill or injected prompt could observe this output and exfiltrate token timing information to assist session hijacking or credential phishing.
LOW npm install without lockfile or version pinning -13 ▶
The --fix mode instructs the agent to run npm install to resolve missing Discord.js and strip-ansi dependencies. Without a committed package-lock.json or exact version pins, each execution resolves the latest satisfying versions from the npm registry. If any upstream package is compromised between when the skill was authored and when --fix is invoked, malicious code would execute in the user's environment.
LOW --fix mode combines multiple high-impact operations in a single agent action -25 ▶
The --fix flag combines process start/stop, npm dependency installation, launchd service deletion, and config directory migration into a single invocable action. An agent operating autonomously could trigger cascading system changes without user confirmation at each step. If the user's Clawdbot environment is not in the expected state, --fix could delete valid services or overwrite active configs.
INFO Commit provenance references different GitHub organization -8 ▶
The _meta.json commit URL (github.com/clawdbot/skills) differs from the repository serving the skill (github.com/openclaw/skills). This is consistent with a repo migration and not inherently malicious — the clawdbot metadata in SKILL.md frontmatter corroborates the same ecosystem — but it means the commit hash cannot be directly verified against the serving repository.
INFO Canary file accesses preceded git clone — attributable to audit harness -3 ▶
Inotifywait and auditd recorded accesses to all six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) at timestamps 1771907460 (~6 seconds before git clone began at 1771907466) and again at 1771907483 (during post-install analysis scripts). Temporal analysis confirms these are the audit harness's own canary baselining and post-install integrity verification passes, not attributable to the skill or install process.