Is jrojas537/discogs-cli safe?

https://github.com/openclaw/skills/tree/main/skills/jrojas537/discogs-cli

85
SAFE

The discogs-cli skill is a legitimate Go-based Discogs vinyl collection management tool with a clean SKILL.md (no prompt injection), a minimal install script (just go build), and no evidence of malicious behavior during the installation audit. The primary risks are theoretical: the Go source code was not deeply audited so runtime malicious behavior cannot be ruled out, and the skill stores a Discogs API token in a plaintext local config file accessible to co-installed skills. Canary file accesses observed in audit logs are attributable to the oathe monitoring infrastructure's setup and teardown sweeps, not to the skill itself.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (8)

MEDIUM Go binary compiled from unaudited source during installation -15

The install.sh script compiles Go source code into an executable binary placed at skills/discogs-cli/bin/discogs-cli. The install script itself is clean, but the Go source files (client.go, scripts/cmd/*.go) were not fully analyzed for malicious logic. A sophisticated attacker could embed data exfiltration, backdoor, or privilege escalation code in the Go source that only activates at runtime.

LOW Discogs API token stored in plaintext local config file -10

The skill instructs users to run 'discogs-cli config set -u -t ' which stores a Discogs personal access token in ~/.config/discogs-cli/config.yaml. While scoped to Discogs, this creates a persistent credential artifact readable by any process or skill running as the same user.

LOW Runtime network calls to Discogs API not auditable at install time -8

The compiled binary makes authenticated API calls to api.discogs.com at runtime. The 'collection sync' command fetches all collection details. Without deep source analysis, it is not verifiable that data flows exclusively to discogs.com and not to attacker-controlled infrastructure.

LOW Credential artifact accessible to co-installed skills -12

The config file at ~/.config/discogs-cli/config.yaml containing a Discogs personal access token could be read by any other skill or process running as the same user. In combination with a malicious skill that reads home directory files, this token could be exfiltrated.

LOW Developer self-reported as new to Go and skill ecosystem -10

README.md states 'This is one of my first projects building a skill from scratch, and I'm new to both Go and the OpenClaw skill ecosystem.' This increases the probability of unintentional security mistakes such as insecure credential handling, missing input validation, or improper error handling that could cause data leaks.

INFO Skill repository contains lock.json referencing another skill -3

The .clawhub/lock.json file in the skill repository references 'academic-research-hub' v0.1.0. This is likely a developer environment artifact (the author committed their personal OpenClaw state), not a dependency declaration or supply chain concern.

INFO SKILL.md is clean — no prompt injection indicators -5

The SKILL.md file contains only legitimate CLI documentation. No override instructions, hidden Unicode, HTML comments with embedded directives, external URL fetch instructions, persona switching, or permission escalation attempts were detected.

INFO Sensitive file accesses attributable to oathe monitoring infrastructure -10

PATH audit records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud credentials accessed during the audit window. Timestamp analysis confirms these accesses occur in two tight clusters: at setup (1771955691.035-037) and teardown (1771955711.278), consistent with oathe canary establishment and verification sweeps. No accesses occur during or immediately after skill install (1771955706-710).