Is maverick-software/discord-connect-ui safe?

https://github.com/openclaw/skills/tree/main/skills/maverick-software/discord-connect-ui

66
CAUTION

This skill poses significant code-execution risk due to an npm lifecycle 'install' hook that automatically runs install-plugin.js, which modifies production Clawdbot TypeScript source files, executes pnpm build, and restarts the gateway service without per-action user confirmation. All six honeypot credential files were accessed post-installation in a pattern that warrants scrutiny, though the canary integrity check reports no exfiltration. The SKILL.md content itself is clean with no prompt-injection attempts, but the automatic, invasive nature of the install process and Discord token handling create meaningful risks that require careful review before deployment.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 25/100 · 20%
Clone Behavior 72/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 52/100 · 5%

Findings (9)

CRITICAL npm install lifecycle hook auto-executes code modification script -60

package.json defines 'install' under scripts, which is an npm lifecycle hook that runs automatically when 'npm install' is executed in the package directory. This causes install-plugin.js to run without explicit user authorization, searching the filesystem for Clawdbot source, patching production TypeScript files, executing pnpm build, and restarting the gateway service.

HIGH Production source code automatically patched via regex injection -35

install-plugin.js reads and rewrites server-methods.ts, navigation.ts, and app-render.ts using regex replacement to inject import statements, function calls, and switch-case blocks. Failure modes include corrupted source if regex matching fails on non-standard file layouts, and persistent backdoor insertion if the injected content (discord-backend.ts) is malicious.

HIGH Arbitrary shell commands executed during install (pnpm build, gateway restart) -25

install-plugin.js calls execSync('pnpm build', {cwd: gatewayPath}) and execSync('clawdbot gateway restart') with stdio: 'inherit', running in whatever directory findGatewayPath() resolves to. If CLAWDBOT_PATH is attacker-controlled or resolves to an unexpected path, this can execute a hostile build system or restart an attacker-modified service.

HIGH Credential files accessed post-installation — all six canary targets -30

Auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were accessed at timestamp 1771924299.856, after skill installation completed (~1771924295). While the canary integrity check reports no exfiltration, the access of all six sensitive credential targets in rapid succession post-install is anomalous and may indicate the skill's install-triggered build process touched these files.

MEDIUM Filesystem enumeration of home directory for Clawdbot source -15

install-plugin.js scans multiple home-directory paths to locate the Clawdbot gateway source. This enumeration runs at install time and could expose directory structure information or resolve to unintended paths.

MEDIUM Discord bot token stored and activated without explicit isolation -25

The discord.setToken RPC method stores and activates a Discord bot token in Clawdbot config. If the gateway is later compromised or the install injected modified handler code, all incoming/outgoing Discord messages would be accessible to an attacker. The token masking claim cannot be verified from available source.

MEDIUM ARP table and openclaw installation path probed post-clone -20

After skill files were copied, ip neigh show was executed (ARP enumeration) and git -C /usr/lib/node_modules/openclaw rev-parse was run to probe the openclaw install. These behaviors suggest environmental fingerprinting beyond what the skill documents.

LOW Skill description primes agent for expansive automatic actions -12

The SKILL.md description prominently features 'automatic installation' language seven times, which may prime an LLM agent to proceed with filesystem modification without seeking confirmation when a user asks about Discord setup.

INFO Canary files intact — no confirmed exfiltration 0

The audit's honeypot monitoring confirms no canary file content was exfiltrated. The post-install accesses (records 7042-7047) are consistent with the audit harness's own final canary integrity verification sweep.