ClawHub

pangolinfo-amazon-daily-competitor-radar

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Pangolinfo-powered Amazon monitoring toolkit with credential and paid API usage caveats, but no evidence of hidden theft, destruction, or deceptive execution.

Install only if you trust Pangolinfo and are comfortable sending Amazon, Google SERP, and WIPO lookup queries to its API service. Prefer PANGOLINFO_API_KEY over email/password, monitor paid credit usage, avoid --raw output unless needed, and enable token caching or scheduled reports only when you intentionally want persistent local storage or recurring API activity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill exposes and relies on sensitive capabilities including environment credentials, shell execution, file read/write, and network access, but does not declare permissions or present user-visible boundaries for those behaviors. That makes downstream execution less transparent and weakens review and consent controls, especially because the SOP also encourages automation and credential reuse across bundled scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest presents the skill as a narrow Amazon competitor-monitoring tool, but the bundled behavior extends into Google querying, screenshot capture, broader Amazon scraping, WIPO lookups, and credential/login handling with local caching. This mismatch is dangerous because users and reviewers may authorize the skill under a much narrower trust assumption than the actual operational scope.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Bundling WIPO trademark/design lookup materially expands the skill beyond Amazon seller monitoring into IP research. Even if useful to some workflows, this increases data-access scope and creates a hidden multifunction tool that may be invoked under assumptions that it only performs competitor analytics.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill explicitly says it should not be used for brand-new niche discovery, yet the SOP performs keyword extraction and niche matching from long-tail descriptions to derive keywords and category intelligence. Contradictory boundaries like this can cause policy bypass and unintended use beyond the declared seller-monitoring scope.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The SOP instructs the agent to invoke a cron-scheduling tool for ongoing automated delivery, which introduces persistent background execution not justified by the declared analytics-only purpose. Persistent scheduling increases the blast radius of any misconfiguration by enabling repeated credential use, recurring data collection, and unattended outbound actions.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The setup guide instructs users to obtain Pangolinfo access for WIPO design database searches, which is materially inconsistent with the skill's declared purpose of Amazon competitor and product monitoring. This kind of scope mismatch can mislead users into granting credentials or paying for a different service than expected, and it is especially risky because the guide also asks for sensitive authentication material, increasing the chance of credential misuse or deceptive data collection.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file implements a broad Google SERP/AI search client with authentication, arbitrary query support, and screenshot capture, which materially exceeds the advertised Amazon competitor-radar purpose. This scope mismatch is dangerous because it gives the skill undeclared generic web-search capability that could be repurposed for unrelated data collection or operator deception, especially in an agent ecosystem where users rely on manifest descriptions to understand risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
AI-mode conversational search and screenshot capture are unrelated to the stated seller-monitoring purpose and introduce extra capabilities for broad information gathering and visual capture of third-party pages. In context, these undeclared features expand the attack surface and create a stealthier path for collecting off-scope content than users would reasonably expect from an Amazon competitor radar skill.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script advertises and implements broader scraping capabilities, including seller-product enumeration and follow-seller functionality, that exceed the skill's stated scope of monitoring an active seller's own products. This scope mismatch is dangerous because it enables surveillance of arbitrary third-party sellers and competitor intelligence collection beyond user expectations and declared permissions.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The client exposes review scraping via amzReviewV2 even though full review scraping is not disclosed in the stated capabilities. Undisclosed collection features are risky because they expand data access and operational behavior beyond what reviewers and users would reasonably expect from the skill description.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file is explicitly a WIPO industrial-design search client, which materially conflicts with the skill’s declared Amazon competitor-monitoring purpose. This capability expansion is dangerous because it introduces undisclosed external-data access and IP-intelligence collection functionality that users would not reasonably expect from the manifest, a common indicator of covert or repurposed behavior.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The request builder assembles parameters for design-rights/intelligence searches such as holder, product, Locarno class, and registration metadata, which are unrelated to the advertised Amazon monitoring workflow. In context, this looks like hidden functionality that could be abused to perform undisclosed competitor or IP surveillance under the guise of a seller analytics tool.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The CLI help and examples openly describe a WIPO Global Design Database client, directly contradicting the skill’s Amazon competitor-radar description. While largely documentary on its own, this mismatch confirms the presence of undeclared functionality and increases confidence that the package is misrepresented to reviewers and users.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrase 'Give me my daily market pulse report' is broad and overlaps with ordinary user language, which can cause accidental invocation of a powerful multi-step workflow. In a skill with shell, network, credential, and potential scheduling capabilities, loose triggering increases the risk of unintended data access and external actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill promotes daily or weekly automated scheduling without clearly warning users that this implies repeated background execution and recurring data-access activity. Lack of transparency around persistence and repetition is dangerous because users may unknowingly authorize continuous monitoring with stored credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation directs users to store a permanent API key in a predictable local file path (`~/.pangolinfo_api_key`) without any warning about filesystem permissions, multi-user systems, backups, or secret leakage. Because the same document states tokens are permanent, compromise of that file could grant long-lived unauthorized API access and increase the blast radius of local credential theft.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to authenticate with email and password and shows the auth endpoint, but provides no guidance on secure credential handling, storage, logging, or transport validation. This omission can lead integrators to embed passwords in scripts, shell history, CI logs, or plaintext config files, creating avoidable credential exposure risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide instructs users to export a plaintext password into environment variables without warning that credentials may be exposed through shell history, process inspection, terminal logs, or accidental reuse in later commands. In an agent-assisted environment, asking for email/password is especially risky because it encourages collection of reusable credentials instead of using a scoped API key.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The document instructs users to store long-lived API credentials in an environment variable or a home-directory cache file without any warning about credential sensitivity, file permissions, rotation, or avoidance of accidental logging/commit. In this skill context, the API key grants access to a paid third-party business intelligence service, so insecure handling increases the chance of credential theft, account abuse, and unauthorized consumption of credits.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly instructs users to place their email and password into environment variables, which encourages handling long-lived credentials in a way that may be exposed through shell history, process inspection, logs, crash reports, or shared terminal environments. In this skill context, the risk is real because the document is a first-time setup guide and users are likely to follow it verbatim, increasing the chance of credential disclosure even though an API key alternative is already available.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The documentation explicitly states that API tokens are permanent and do not expire unless the account is deactivated, with no mention of rotation, scope limits, or user-configurable expiration. Long-lived credentials materially increase the blast radius of token leakage from logs, files, environment variables, or compromised machines, especially for a seller-monitoring skill that likely runs unattended and accesses account-linked scraping credits and data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to place a plaintext password into an environment variable, which increases the chance of credential exposure through shell history, process inspection, debug logs, screenshots, or persisted session configs. Although this is a documentation issue rather than active credential theft, it normalizes weaker secret-handling practices and is unnecessary given the presence of a safer API-key option.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal