Search Discord message history via discrawl SQLite database. Use when the user asks about past conversations, previous discussions, historical messages, or a...
Security Analysis
high confidenceThe skill is coherent with its stated purpose (searching a local Discrawl SQLite DB) but has a few manifest/instruction omissions and a small implementation risk (unsanitized shell SQL) you should review before use.
The skill's name, description, SKILL.md, and included scripts all consistently target searching a local Discrawl SQLite database (~/.discrawl/discrawl.db). However, the runtime assumes the 'discrawl' CLI is available and that the local DB exists, yet the manifest declares no required binaries or config paths — a minor inconsistency in declarations (the skill does need access to the local DB and a discrawl binary to function).
SKILL.md and scripts instruct the agent to read/query the local Discrawl database (message contents, raw_json, members, channels). The script and examples also allow/encourage raw SQL queries and the provided search_history.sh directly interpolates user-supplied query and channel into SQL strings executed via the discrawl CLI. This creates two concerns: (1) the manifest does not declare the config path (~/.discrawl/discrawl.db) even though the skill reads it, and (2) the script is vulnerable to SQL-injection or shell-escaping issues if untrusted input is used. There are no instructions to send data to external endpoints.
There is no install spec (instruction-only), so nothing will be downloaded or written during install. The included script expects the 'discrawl' CLI to be present; absence of an install instruction is reasonable but the manifest should have declared the dependency.
The skill requests no environment variables or credentials, which is proportionate. However it does access sensitive local data (Discord messages and raw_json in ~/.discrawl/discrawl.db). That access is consistent with the purpose but represents a privacy-sensitive capability the user should be aware of.
The skill is not marked always:true and doesn't request elevated platform privileges or modification of other skills. It is user-invocable and can be invoked autonomously per platform default; that is expected for skills of this kind.
Guidance
This skill appears to do what it says: query a local Discrawl SQLite database. Before installing or enabling it, confirm the following: 1) The agent environment actually has the 'discrawl' CLI and the database at ~/.discrawl/discrawl.db (the manifest did not declare these). 2) Understand privacy implications — the skill can read all stored Discord messages (raw_json, attachments metadata, etc.). Only enable it if you trust the agent and the environment. 3) The provided script interpolates user input directly into SQL executed via the shell; if you or the agent supply untrusted input this can break queries or be abused. If you plan to use this skill with external inputs, sanitize/parameterize queries or restrict to read-only, pre-built queries. 4) If you need stronger guarantees, ask the author to: declare the discrawl binary and config path in the manifest, add input sanitization or parameterized SQL, and include an install/check step that validates the DB path and permissions. If you are unsure, test the script locally on a copy of the DB first or run it in a restricted/sandboxed environment.
Latest Release
v1.0.0
Initial release: Discord history search via discrawl SQLite
Popular Skills
Published by @jonathanjing on ClawHub
