Discogs Claw
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: discogs-claw Version: 1.0.2 The skill is designed to search Discogs for vinyl prices. It uses `curl` to interact with the Discogs API and `jq` for JSON parsing and construction. User input for the search query is properly URL-encoded using `jq -R -r @uri` before being used in `curl` commands, preventing shell injection. The Discogs API token is handled securely via an environment variable or config file and passed in an Authorization header. The instructions in `SKILL.md` are for formatting the agent's output and do not contain any malicious prompt injection attempts. There is no evidence of data exfiltration, unauthorized command execution, or persistence mechanisms.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can make authenticated Discogs API requests using your Discogs token.
The script requires a Discogs personal access token and sends it in the expected Discogs Authorization header. This is necessary for the stated API integration and no unrelated destination or logging is shown, but it is still delegated account access.
if [ -z "$DISCOGS_TOKEN" ]; then ... -H "Authorization: Discogs token=${DISCOGS_TOKEN}"Use a Discogs token intended for this purpose, avoid exposing it in logs or shared shells, and revoke it if no longer needed. The skill metadata should ideally declare this credential requirement.