agent-discord

SUSPICIOUS: The install source appears legitimate and proportionate, but the skill’s auth model relies on silent extraction of a Discord user token from the desktop app and grants an agent broad messaging/read/upload capabilities. Data flows appear to Discord rather than an unknown proxy, so this is not confirmed malware, but it is a high-sensitivity communication skill with notable credential and autonomy risk.