configure-discord
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: LOWCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (LOW): Shell commands are executed using user-supplied strings. Evidence: Step 8 interpolates the $WEBHOOK_URL variable into a curl command. While the skill instructs the agent to validate the URL prefix, a failure to strictly enforce this could allow shell argument injection.
- [CREDENTIALS_UNSAFE] (LOW): Discord authentication tokens and webhook URLs are stored in a local JSON file in plaintext. Evidence: Configuration is saved to ~/.codex/.omx-config.json. Users should ensure appropriate file system permissions for the configuration directory.
- [DATA_EXFILTRATION] (LOW): The skill transmits data to an external, non-whitelisted domain (discord.com) during setup verification. Evidence: Step 8 performs a curl POST request to a user-defined URL to verify connectivity.
Audit Metadata