Discogs Claw

Security checks across malware telemetry and agentic risk

Overview

Discogs Claw is a straightforward Discogs price lookup skill that uses a user-provided Discogs token for expected API calls.

Install only if you are comfortable giving the agent a Discogs API token and sending your record search terms to Discogs. Prefer an environment variable or secret store, avoid pasting real tokens into shared logs or screenshots, and revoke the token if you stop using the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 96% confidence
Finding: The skill instructs users to supply a Discogs API token and send search queries to the Discogs API, but it does not disclose that both the user query and authentication token will be transmitted to a third-party service. This creates a transparency and privacy risk because users may provide sensitive search terms or credentials without understanding the external data flow.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation instructs users to place a Discogs personal access token directly into curl commands but does not warn about secure storage, shell history leakage, redaction, or avoiding hardcoding credentials. This can lead to accidental exposure of reusable API credentials in terminals, logs, screenshots, or checked-in scripts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal