ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pangolinfo AI SERP: AI Mode Output + AI Overviews

v1.0.4

Google AI Mode search (multi-turn) with structured JSON outputs and citations. Use this skill when the user wants AI answers with references, follow-up quest...

0· 92·2 current·2 all-time
by@pangolinfo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code and SKILL.md align with the declared purpose: a Pangolin client that performs Google SERP and AI Mode queries and returns structured JSON. The only mismatch is registry metadata listing 'Required env vars: none' while SKILL.md and the script clearly require PANGOLIN_API_KEY or PANGOLIN_EMAIL+PANGOLIN_PASSWORD.
Instruction Scope
Instructions explicitly tell the agent to solicit credentials and to cache the API key at ~/.pangolin_api_key (or to use env vars for a one-time login). That is within scope for an API client but is a sensitive action: the skill directs writing secrets to disk and running the included script, which will transmit credentials to https://scrapeapi.pangolinfo.com/auth. The SKILL.md also instructs interactive guidance and automated caching—this grants the agent the ability to persist secrets locally.
Install Mechanism
No install spec; this is an instruction + script bundle that runs with the system Python (zero Python dependencies). No remote downloads or package installs are performed by the skill itself.
Credentials
The only credentials referenced are Pangolin credentials (API key or email/password), which are proportionate to the described functionality. However, the registry metadata omits required env vars (inconsistent) and some reference docs mention a different cache filename (~/.pangolin_token) than the code (~/.pangolin_api_key), indicating documentation mismatches.
Persistence & Privilege
The script persistently caches the resolved API key at ~/.pangolin_api_key and the SKILL.md emphasizes permanent caching. The skill does not request 'always: true', but persistent local storage of credentials increases blast radius if you later regret granting access—deleting the cache file is needed to remove stored credentials.
What to consider before installing
This package is a self-contained Pangolin API client that needs a Pangolin API key (or email+password) to operate and will persistently cache the API key at ~/.pangolin_api_key. Before installing or providing secrets: 1) Verify you trust the Pangolin service and the endpoint (https://scrapeapi.pangolinfo.com); prefer providing an API key rather than email+password. 2) Understand the script will write the API key to a dotfile in your home directory—remove that file to revoke local access. 3) Note inconsistencies: registry metadata claims no required env vars and some docs mention a different token filename; these are signs of sloppy packaging (not necessarily malicious). 4) The included self-test expects authentication to succeed—running tests without credentials will fail. If you are uncomfortable storing credentials on disk, do not provide them and consider running the script manually in a controlled environment or creating a restricted API key that you can revoke.

Like a lobster shell, security has layers — review code before you run it.

ai-modevk9789hmky0a73qyp76vmzz305s83gg4eai-overviewvk9789hmky0a73qyp76vmzz305s83gg4eapivk9789hmky0a73qyp76vmzz305s83gg4eautomationvk9789hmky0a73qyp76vmzz305s83gg4edata-pipelinevk9789hmky0a73qyp76vmzz305s83gg4egooglevk9789hmky0a73qyp76vmzz305s83gg4ejsonvk9789hmky0a73qyp76vmzz305s83gg4elatestvk977r33jsh6r13gm0fwt8x7wpd83mtjgscrapingvk9789hmky0a73qyp76vmzz305s83gg4eserpvk9789hmky0a73qyp76vmzz305s83gg4e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments