pangolinfo-amazon-product-explorer

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Pangolinfo-powered Amazon market research toolkit, but users should handle its Pangolinfo credentials carefully.

Install only if you trust Pangolinfo with your market research queries and API credentials. Prefer PANGOLINFO_API_KEY over email/password, avoid entering real secrets in shared terminals or logs, and enable --cache-key/PANGOLINFO_CACHE only if you intentionally want a long-lived key saved at ~/.pangolinfo_api_key. API calls may consume Pangolinfo credits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill declares no explicit permissions while its documented behavior requires sensitive capabilities including environment access, local file reads/writes, network access, and shell execution. This creates a transparency and policy-enforcement gap: an agent or user may authorize the skill under false assumptions, while it can access credentials, persist data locally, and invoke external commands.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented scope says this is a narrowly bounded Amazon product-research skill, but the described behavior expands into general-purpose SERP querying, broader Amazon scraping modes, raw CLI/API passthrough behavior, screenshot capture, taxonomy exploration, and local credential caching. That mismatch is dangerous because it hides materially broader data collection and execution behavior than a user would reasonably expect, increasing the risk of overreach, privacy issues, and misuse of granted agent capabilities.

Intent-Code Divergence

High

Confidence: 88% confidence
Finding: The skill explicitly tells users not to use it for listing optimization, then later instructs the agent to generate listing SEO/CRO and A+ content guidance anyway. This contradictory guidance can defeat routing controls and cause the agent to perform actions outside approved boundaries, especially in ecosystems that rely on skill descriptions to constrain invocation and review.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guide instructs users to provide and export a plaintext email/password pair into environment variables, but does not warn against credential exposure, shell history leakage, process inspection, logging, or reuse of primary account passwords. In a skill context, encouraging direct collection of a user's password is riskier than asking only for an API key, because it expands the secret scope and can normalize unsafe credential-handling behavior.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation states that API keys are permanent and describes a resolution order that includes reading from an environment variable and a local cache file, but it provides no security guidance on safe storage, rotation, file permissions, or risks of long-lived credentials. In a skill that interacts with external commercial APIs, normalizing permanent credential use without warnings increases the chance of credential leakage or insecure persistence, which could enable unauthorized API usage and account abuse.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide instructs users to place their account password in an environment variable, which can expose credentials through shell history, process inspection, debugging output, crash reports, CI logs, or inherited subprocess environments. In this skill’s context, the risk is more serious because the skill explicitly guides interactive authentication for an external service, increasing the chance that users follow the insecure pattern verbatim and reuse real account credentials.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide instructs users to place a plaintext password into an environment variable, which is a credential-handling weakness because environment variables can be exposed through shell history, process inspection, crash logs, debug output, or inherited child processes. In this skill context, the file is specifically a setup guide for authenticating to an external service, so encouraging password-based auth without strong warnings or safer defaults increases the chance of credential leakage during normal use.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide tells users to place a plaintext password into an environment variable for authentication, but gives no warning about the security tradeoffs. Environment variables can be exposed through shell history, process listings, debugging tools, crash reports, CI logs, or inherited child processes, so this guidance can lead to credential leakage even if the file itself is only documentation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal