discord-members
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill fetches and processes rich profile data (bios, pronouns, connected accounts) from Discord. This represents a significant attack surface.
- Ingestion points:
profile_fetcher.pyandmember_query.pyingest user-controlled strings (bios, names) into the agent's context. - Boundary markers: No explicit delimiters or 'ignore embedded instructions' markers are mentioned in the skill instructions.
- Capability inventory: The skill executes multiple Python scripts (
member_query.py,churn_tracker.py,profile_fetcher.py,member_export.py) and writes data to the file system (CSV/JSON exports). - Sanitization: There is no evidence of sanitization or filtering of the fetched profile content before it is processed or used in queries.
- Command Execution (MEDIUM): The skill relies on executing local Python scripts via subprocess calls. While these are part of the plugin, the arguments (such as search queries in
member_query.py) are derived from user input, which could lead to command injection if not properly sanitized within the scripts. - Data Exposure (MEDIUM): The skill facilitates the export of server member data to CSV, JSON, and Markdown files. While this is a functional feature, it provides a streamlined path for data exfiltration if the agent is manipulated by an indirect prompt injection attack.
- Credential Usage (INFO): The skill requires a
DISCORD_USER_TOKEN. While the token itself is not hardcoded, using a user token for automated queries (self-botting) is a high-risk activity that can lead to credential revocation or account termination by the service provider.
Recommendations
- AI detected serious security threats
Audit Metadata