Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pangolinfo Amazon Product Delete
v1.0.11WIPO Global Design Database search via Pangolinfo API (industrial design IP lookup).
⭐ 0· 57·0 current·0 all-time
byPangolinfo@pangolin-spg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md, scripts, and references consistently describe a Pangolinfo WIPO Global Design Database search client that uses PANGOLINFO_API_KEY (or email/password). However the top-level name ('Pangolinfo Amazon Product Delete') and the registry slug ('product-discovery-delete') do not match the stated purpose. No homepage or clear publisher information is provided. This metadata mismatch is incoherent and could be a copy/paste or packaging error — it warrants caution.
Instruction Scope
The runtime instructions and the included Python script focus on authenticating and posting queries to Pangolinfo endpoints and presenting results; they do not instruct reading unrelated system files or contacting unrelated external endpoints. The script may optionally cache an API key to ~/.pangolinfo_api_key when the user opts in (via --cache-key or env flag per docs). The SKILL.md explicitly warns about credits consumed by searches.
Install Mechanism
There is no install spec or external download: this is an instruction-only skill that bundles a small Python script and a shell self-test. No remote installers, URL downloads, or archive extraction are present in the package.
Credentials
The skill requests only Pangolinfo credentials (PANGOLINFO_API_KEY or PANGOLINFO_EMAIL + PANGOLINFO_PASSWORD), which are proportional to the described functionality. Minor issues: primary credential field is not set in the registry metadata, and the package includes optional caching to the user's home directory when explicitly enabled. Do not provide unrelated credentials. The presence of an email+password login option means handing over more sensitive secrets if you choose that path.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide agent settings. Disk persistence (caching API key) only occurs if the user explicitly opts in per the documentation.
What to consider before installing
This package appears to implement a Pangolinfo WIPO search client and only needs a Pangolinfo API key (or email/password). However, the published metadata (name and slug) do not match the skill's documented purpose and there is no homepage or clear publisher identity — that inconsistency is the main red flag. Before installing or supplying credentials: 1) confirm the publisher identity (who published this skill?), 2) verify that pangolinfo.com and the API host (scrapeapi.pangolinfo.com) are legitimate and that you trust them, 3) prefer using an API key over email+password, and only enable key caching if you understand and accept caching to ~/.pangolinfo_api_key, 4) be aware that successful searches consume credits, and run the self-test in an isolated environment if you want to inspect behavior. If you plan to install, consider asking the publisher to fix the metadata (name/slug) mismatch or provide a homepage/source link for provenance; if that cannot be resolved, treat the skill with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk973rw2cd3jwgqn1vps3ysrpe184ykj5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvPANGOLINFO_API_KEY