Pangolinfo AI SERP: AI Mode Output + AI Overviews

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a legitimate Pangolinfo Google-search helper, but it uses Pangolinfo credentials and sends searches to Pangolinfo's paid external API.

Before installing, confirm you trust Pangolinfo with your search queries and account credentials. Prefer using an API key instead of email/password, avoid searching for secrets, watch credit usage for bulk tasks, and delete `~/.pangolinfo_api_key` if you enable caching and later want to revoke local access.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Low

What this means

The skill can use sensitive Pangolinfo account credentials and may access account credits through the resulting token.

Why it was flagged

If an API key is not supplied, the script authenticates to Pangolinfo by sending the configured email and password to Pangolinfo's auth endpoint.

Skill content

AUTH_ENDPOINT = f"{API_BASE}/api/v1/auth" ... result = _http_post(AUTH_ENDPOINT, {"email": email, "password": password})

Recommendation

Use PANGOLINFO_API_KEY when possible, avoid sharing the account password with the agent, and rotate/revoke credentials if no longer needed.

#ASI03: Identity and Privilege Abuse

Low

What this means

A cached token can be reused by later runs until the file is deleted.

Why it was flagged

The setup guide discloses an optional persistent API-key cache in the user's home directory.

Skill content

Optional caching (only if the user explicitly asks for it): ... This persists the API key to `~/.pangolinfo_api_key`. Revoke by deleting that file.

Recommendation

Only enable caching if you want persistent access, protect the local account, and delete `~/.pangolinfo_api_key` when done.

#ASI07: Insecure Inter-Agent Communication

Low

What this means

Search terms, follow-up questions, and screenshot requests are shared with Pangolinfo as part of the service.

Why it was flagged

Search queries and follow-up prompts are packaged into requests sent to Pangolinfo's external scraping API.

Skill content

API_BASE = "https://scrapeapi.pangolinfo.com" ... body = {"url": url, "parserName": parser_name} ... if follow_ups: body["param"] = follow_ups

Recommendation

Do not include secrets or highly sensitive private information in search queries unless you are comfortable sending them to Pangolinfo.

#ASI02: Tool Misuse and Exploitation

Low

What this means

Bulk searches, monitoring, or repeated agent calls may spend Pangolinfo credits.

Why it was flagged

The provider API is credit-based, so successful tool use has an account-cost impact.

Skill content

- **AI Mode:** 2 credits per request
- **SERP:** 2 credits per request
- **SERP Plus:** 1 credit per request
- Credits are only consumed on success

Recommendation

Set clear limits for bulk or monitoring tasks and confirm before running large batches of searches.