Back to skill
Skillv1.0.2
VirusTotal security
Pangolinfo Amazon Scraper · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 25, 2026, 2:41 PM
- Hash
- cc9bb012e906a36b056c6aa0e04c161efd70780fe4a6c541f0497ba196c1d2ba
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pangolin-amazon-scraper Version: 1.0.2 The skill bundle provides a functional client for the Pangolin Amazon Scraper API but employs high-risk patterns for credential management. Specifically, SKILL.md instructs the AI agent to execute shell commands (e.g., using echo to write to ~/.pangolin_api_key) with user-provided input, which creates a shell injection vulnerability. While the Python script (scripts/pangolin.py) includes basic security measures like restricted file permissions (chmod 600), the overall approach of directing an agent to perform filesystem and environment modifications via shell interpolation is risky, even if intended for legitimate setup purposes.
- External report
- View on VirusTotal