Skillv1.3.1

ClawScan security

Discogs Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 1:57 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (a Discogs CLI) but contains a few incoherent or unexpected behaviors — notably a hard-coded absolute cache path that points to another user's home and subtle config/env handling — that warrant caution before installing.
Guidance: This skill appears to implement a real Discogs CLI and uses local compilation (go build). Before installing: 1) Be aware you must provide your Discogs username and personal access token — the tool stores them in a local config file (~/.config/discogs-cli/config.yaml) unless you supply them via environment variables. 2) The code writes album art to a hard-coded path: '/home/Ev05bot/.openclaw/workspace/art_cache/discogs'. That looks like a developer-specific path and may be unintended or problematic in your environment; ask the author to change it to a configurable or user-specific path (for example, use os.UserCacheDir() or relative skill workspace). 3) The README suggests optionally moving the binary to /usr/local/bin (requires sudo); only do that if you trust the code. 4) If you run this on a shared or hosted agent, audit file write locations and ensure the tool cannot access or overwrite sensitive files. If the hard-coded path or the AutomaticEnv behavior is unexplained by the author, treat the package cautiously or request a fix before use.

Review Dimensions

Purpose & Capability: okName/description align with the code and requested binary (Go). The code implements Discogs collection, search, wantlist, caching and art download functionality which matches the skill description.
Instruction Scope: concernThe runtime instructions are straightforward (build with Go, run installer, run `config set` to store token/username), but the code writes album art to a hard-coded absolute path: '/home/Ev05bot/.openclaw/workspace/art_cache/discogs'. That is unexpected for a general-purpose skill (should use the invoking user's home or a relative/workspace path) and looks like a leftover or targeted path. This could fail or, worse, attempt to write into another user's area in a multi-user environment.
Install Mechanism: okNo remote installers are used in the registry metadata. The provided install.sh compiles local Go source into a binary (go build). Dependencies are typical Go modules from public repos. No downloads from obscure hosts or extract-from-URL steps are present.
Credentials: noteThe skill does not declare required environment variables in metadata (none listed), and SKILL.md instructs saving Discogs username/token to a local config file — which is reasonable. However, the code calls viper.AutomaticEnv(), so configuration keys (like 'token'/'username') can also be picked up from environment variables. This behavior is not documented in SKILL.md and could cause unexpected reads from env vars if present. No unrelated cloud credentials or broad secrets are requested.
Persistence & Privilege: okThe skill does not request always:true or any elevated/persistent platform privileges. It only creates its own config and cache files under the user's directories (aside from the hard-coded path noted above). It does not modify other skills or system-wide agent configs.