Discogs Sync
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: discogs-sync Version: 0.1.10 The discogs-sync skill bundle is a legitimate CLI tool for managing Discogs wantlists and collections. It implements standard authentication flows (Token and OAuth 1.0a), stores credentials with restricted permissions in `~/.discogs-sync/config.json`, and uses a proactive rate limiter for API interactions. The bootstrapping logic in `discogs-sync.py` and the use of a local `.deps/` directory are standard patterns for portable Python utilities, and no evidence of malicious intent or data exfiltration was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with removal options, the tool can change or remove entries in your Discogs account.
The CLI can remove Discogs collection items during bulk sync, while also offering a dry-run option. This is aligned with the skill purpose, but it is an account-mutating operation.
@click.option("--remove-extras", is_flag=True, help="Remove collection items not in input file")
@click.option("--dry-run", is_flag=True, help="Show what would be done without making changes")Use dry-run before bulk syncs and confirm add/remove requests, especially when an agent is deciding which command to run.
Anyone or anything that can use the stored token may be able to read or modify your Discogs wantlist or collection.
The skill requires Discogs credentials to act on the user's account and stores them persistently. This is expected for the integration, but it grants ongoing account access.
Credentials are stored in `~/.discogs-sync/config.json`.
Use a Discogs token only for the needed account, keep the local config file protected, and revoke or clear the token when you no longer need the skill.
First use may download newer compatible package versions from the Python package ecosystem.
The skill downloads dependencies automatically on first run and uses version ranges rather than exact pinned versions. This is disclosed and purpose-aligned, but it depends on external package supply chain integrity.
Python packages (installed automatically on first run): - `python3-discogs-client>=2.8` - `click>=8.1` - `rich>=13.0`
Install only if you are comfortable with the listed dependencies; for stricter environments, pin and review dependency versions before running.
Your Discogs wantlist, collection, or marketplace lookup results may remain on disk after the command finishes.
The skill persists cached Discogs list and marketplace data under the user's home directory for reuse across commands. This is useful for performance but stores personal account-related data locally.
"""File-based TTL cache for list results (wantlist, collection, marketplace).""" ... return Path.home() / ".discogs-sync"
Use the cache purge/cleanup behavior or remove ~/.discogs-sync cache files if you do not want this data retained locally.