discord-skill

This Discord skill's documented behavior is coherent with its purpose: it needs bot tokens or OAuth to send/read/manage messages on Discord. The main security concerns are storage of long-lived credentials in plaintext under ~/.claude/skills/discord-skill/ (tokens and credentials.json) and the optional support for user-account OAuth (which can violate Discord ToS). There are no signs of remote download-execute chains, third-party intermediary endpoints, obfuscated code, or explicit exfiltration instructions. The confirmation requirement before sending messages is a strong mitigation. Overall this appears functionally legitimate but carries moderate supply-chain/credential risk due to plaintext token storage and unpinned dependency guidance.