Back to skill
Skillv1.3.1
VirusTotal security
Discogs Cli · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:01 AM
- Hash
- 83c35a12c5657b904ac5a8c52b9b69eeae23f98d03956cace2d9f1d62d4215e6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: discogs-cli Version: 1.3.1 The skill is classified as suspicious due to a critical vulnerability related to insecure credential storage. The `scripts/cmd/root.go` file uses `os.MkdirAll(configPath, os.ModePerm)` to create the `~/.config/discogs-cli` directory with `0777` permissions, making it world-writable and potentially world-readable. This could allow other local users on the system to access the `config.yaml` file containing the Discogs personal access token and username, leading to local information disclosure. While there is no evidence of intentional malicious behavior like data exfiltration to external endpoints or prompt injection against the agent, this severe vulnerability warrants a 'suspicious' classification.
- External report
- View on VirusTotal