ClawHub

Pangolinfo Amazon Niche Finder

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Pangolinfo API helper for Amazon niche research, with credential and paid-credit risks that fit its purpose.

Install only if you trust Pangolinfo with your Amazon niche research queries and account credentials. Prefer PANGOLINFO_API_KEY over email/password, avoid --cache-key unless you want a reusable local credential, and remember that self-test and filter calls can spend paid credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill requires and documents powerful capabilities including environment-variable access, shell execution, network access, and file read/write, but does not declare permissions in a structured way. This weakens security review and policy enforcement because an agent or platform may underestimate what the skill can do, including handling credentials and writing to disk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to place their email and password in environment variables, which can expose credentials through shell history, process inspection, crash logs, CI output, or inherited subprocess environments. Because this is only a setup guide and not a controlled secret-management workflow, the lack of warnings or stronger preference for API-key-only auth unnecessarily increases the chance of credential leakage.

Session Persistence

Medium
Category
Rogue Agent
Content
- **Pangolinfo account** at [pangolinfo.com](https://pangolinfo.com/?referrer=clawhub_niche)
- **Environment variables**: `PANGOLINFO_API_KEY` (recommended) OR `PANGOLINFO_EMAIL` + `PANGOLINFO_PASSWORD`

> **Security:** Credentials are held **in-memory only** by default. The script will **not** write any key or password to disk unless you explicitly opt in via `--cache-key` (or `PANGOLINFO_CACHE=1`), which persists the API key to `~/.pangolinfo_api_key` (mode 600).

macOS SSL error? Run: `/Applications/Python\ 3.x/Install\ Certificates.command`
Confidence
84% confidence
Finding
write any key or password to disk unless you explicitly opt in via `--cache-key` (or `PANGOLINFO_CACHE=1`), which persists the API key to `~/.pangolinfo_api_key

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal