discord-read
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Command Execution] (MEDIUM): The 'Direct File Read' method documented in the skill uses shell variable interpolation (
cat ./data/{server_id}/{channel_name}/messages.md). This pattern is vulnerable to path traversal if theserver_idorchannel_namevariables contain directory traversal sequences (e.g.,../../), potentially allowing the agent to access files outside the intended data directory.\n- [Prompt Injection] (LOW): The skill is highly susceptible to Indirect Prompt Injection as it processes untrusted text data from Discord conversations. Attackers could place malicious instructions in Discord channels that the agent might follow when reading those messages.\n - Ingestion points: Local markdown files (
messages.md) containing external chat history.\n - Boundary markers: No specific delimiters or safety instructions are used to separate user data from system instructions in the provided execution patterns.\n
- Capability inventory: The agent has the ability to execute shell commands (
cat) and local Python scripts.\n - Sanitization: There is no evidence of content sanitization or filtering for the retrieved message data before it is presented to the LLM.\n- [Data Exfiltration] (LOW): The skill accesses sensitive communication data (Discord messages). Although this is the stated primary purpose, the lack of isolation between the data and the agent's command execution environment creates a risk of unauthorized data access or exfiltration if the agent is manipulated via the aforementioned path traversal or prompt injection vectors.
Audit Metadata