Discogs Cli
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Discogs features are mostly purpose-aligned, but the installer appears to build and write outside the skill directory, so users should review it before setup.
Review and fix the installer before running it. If you proceed, protect the Discogs token config file, use a limited token if possible, approve wantlist add/remove commands explicitly, and be aware that collection/value data is cached locally.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running setup may fail or may compile a binary from an unexpected sibling/parent directory rather than the reviewed source for this skill.
Since install.sh is supplied at the skill root, appending /.. makes SKILL_DIR the parent directory. The installer then builds from $SKILL_DIR/scripts and writes to $SKILL_DIR/bin, which may be outside the reviewed discogs-cli skill.
SKILL_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
SCRIPTS_DIR="$SKILL_DIR/scripts"
BIN_DIR="$SKILL_DIR/bin"
...
go build -o "$BINARY_PATH" .Fix the installer to resolve the skill root as the directory containing install.sh, build only the included scripts directory, write the binary under the skill's own bin directory, and re-review before running.
If the agent runs the wrong command or release ID, items could be added to or removed from the Discogs wantlist.
The CLI can add and remove releases from the user's Discogs wantlist through authenticated API calls. This matches the stated wantlist-management purpose, but it changes account state.
err := client.WantlistRequest("PUT", url, nil)
...
err := client.WantlistRequest("DELETE", url, nil)Only allow wantlist add/remove after the user confirms the exact release ID and intended action.
Anyone who can read the local config file may be able to use the Discogs token, depending on file permissions and token scope.
The skill requires a Discogs personal token and stores it locally for authenticated API access. This is expected for the integration, but it grants account authority and is not represented as a primary credential in the registry metadata.
This command saves your Discogs token and username to a configuration file (`~/.config/discogs-cli/config.yaml`).
Use the least-privileged Discogs token available, protect the config file permissions, and revoke/regenerate the token if it is exposed.
Local users or backups may retain a copy of the user's Discogs collection and estimated value data.
The sync feature persists a local cache of the user's collection details and market data. This is purpose-aligned, but it leaves personal collection/value information on disk.
Fetches detailed information for every release in your Discogs collection and saves it to a local cache file (~/.cache/discogs-cli/discogs_cache.json).
Treat the cache as private data, delete it when no longer needed, and ensure local file permissions are appropriate.
The album-art command may fail on other systems or write files to an unexpected location if permissions allow it.
Album-art download is aligned with the skill purpose, but the cache path is hard-coded to a specific home directory instead of the current user or skill workspace.
cacheDir := "/home/Ev05bot/.openclaw/workspace/art_cache/discogs"
...
if err := os.MkdirAll(cacheDir, os.ModePerm); err != nil {Use the current user's cache/workspace directory and restrictive directory permissions instead of a hard-coded /home path.