Discogs Sync
PassAudited by ClawScan on May 1, 2026.
Overview
Discogs Sync appears purpose-aligned, but it installs Python dependencies, stores a Discogs token locally, and can change your Discogs wantlist or collection.
Install this only if you want an agent/CLI to manage your Discogs wantlist or collection. Authenticate with a token you are comfortable storing locally, use dry-run before bulk syncs, and review remove operations before allowing them to run.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with removal options, the tool can change or remove entries in your Discogs account.
The CLI can remove Discogs collection items during bulk sync, while also offering a dry-run option. This is aligned with the skill purpose, but it is an account-mutating operation.
@click.option("--remove-extras", is_flag=True, help="Remove collection items not in input file")
@click.option("--dry-run", is_flag=True, help="Show what would be done without making changes")Use dry-run before bulk syncs and confirm add/remove requests, especially when an agent is deciding which command to run.
Anyone or anything that can use the stored token may be able to read or modify your Discogs wantlist or collection.
The skill requires Discogs credentials to act on the user's account and stores them persistently. This is expected for the integration, but it grants ongoing account access.
Credentials are stored in `~/.discogs-sync/config.json`.
Use a Discogs token only for the needed account, keep the local config file protected, and revoke or clear the token when you no longer need the skill.
First use may download newer compatible package versions from the Python package ecosystem.
The skill downloads dependencies automatically on first run and uses version ranges rather than exact pinned versions. This is disclosed and purpose-aligned, but it depends on external package supply chain integrity.
Python packages (installed automatically on first run): - `python3-discogs-client>=2.8` - `click>=8.1` - `rich>=13.0`
Install only if you are comfortable with the listed dependencies; for stricter environments, pin and review dependency versions before running.
Your Discogs wantlist, collection, or marketplace lookup results may remain on disk after the command finishes.
The skill persists cached Discogs list and marketplace data under the user's home directory for reuse across commands. This is useful for performance but stores personal account-related data locally.
"""File-based TTL cache for list results (wantlist, collection, marketplace).""" ... return Path.home() / ".discogs-sync"
Use the cache purge/cleanup behavior or remove ~/.discogs-sync cache files if you do not want this data retained locally.