ClawHub

Discogs Cli

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Discogs command-line skill, but its installer and credential storage are under-scoped enough that users should review it before installing.

Review or fix the installer path before running it. If you install, protect ~/.config/discogs-cli/config.yaml, use a revocable Discogs token, confirm exact release IDs before wantlist add/remove commands, and remember that collection/value data and album art are cached locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities that perform shell execution, network access, and local file writes, yet it declares no permissions or trust boundaries. In an agent setting, this can mislead operators and downstream policy systems about what the skill is able to do, increasing the risk of unintended command execution, credential storage, and external data exfiltration.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README instructs users to store a Discogs username and personal access token in a local configuration file while giving no details about file location, permissions, encryption, or local exposure risks. For a skill handling account credentials, this omission can lead users to store reusable tokens insecurely and increases the chance of credential theft from a shared machine, backups, or world-readable files.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The README documents commands that add and remove items from a user's Discogs wantlist without warning that these operations perform live remote account changes. In an agent/skill context, users may treat examples as harmless reads, so the lack of caution raises the risk of unintended state-changing actions on the user's account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup instructions tell the user to store a Discogs secret token in a local configuration file, but they provide no warning about sensitivity, filesystem permissions, or safer alternatives. Secrets written to disk can be exposed through weak permissions, backups, logs, or other local processes, which is especially risky in shared or agent-managed environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal