Skillv2.0.0

ClawScan security

pangolinfo-amazon-product-explorer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 9:42 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose: bundled Python clients call Pangolinfo APIs and only request Pangolinfo credentials; no unrelated credentials, downloads, or system-wide changes were found, though there are minor docs/metadata inconsistencies to note.
Guidance: This skill appears to do what it claims: it will send queries and your Pangolinfo credential to pangolinfo's API endpoints. Before installing: (1) Prefer providing a Pangolinfo API key rather than your account email+password; if you must use credentials, consider creating a dedicated Pangolinfo account or scoped API key. (2) Confirm you trust https://pangolinfo.com and its API domain (scrapeapi.pangolinfo.com) and understand that API requests may consume credits (docs list per-call credit costs). (3) Be aware the package can optionally cache an API key to ~/.pangolinfo_api_key if caching is enabled—verify you want that behavior. (4) If you do not want the agent to call the service autonomously, disable or restrict autonomous skill invocation. (5) The registry metadata slightly overstates required env vars; follow the SKILL.md guidance (API key OR email+password).

Review Dimensions

Purpose & Capability: noteThe name/description promise Amazon product discovery via the Pangolinfo data engine and the bundled scripts make outbound calls to pangolinfo endpoints (scrapeapi.pangolinfo.com) matching that purpose. Minor inconsistency: registry metadata lists PANGOLINFO_API_KEY, PANGOLINFO_EMAIL, and PANGOLINFO_PASSWORD as 'required', while SKILL.md and the scripts indicate an API key OR email+password are acceptable (API key is recommended). This is a documentation/metadata mismatch, not a capability mismatch.
Instruction Scope: okSKILL.md SOP and the scripts limit actions to querying Pangolinfo APIs, parsing results, and optional local caching. The SOP mandates language detection and defaults (Amazon US, zip 90001). There are no instructions to read unrelated files, harvest system secrets, or transmit data to endpoints other than Pangolinfo. The scripts reference a per-user cache file (~/.pangolinfo_api_key) but caching is opt-in and currently disabled by default in the code.
Install Mechanism: okNo install spec or external downloads; the package is a flat set of zero-dependency Python scripts using the standard library (urllib). Nothing is fetched from arbitrary URLs or written to nonstandard system locations by default.
Credentials: noteThe only credentials requested are Pangolinfo credentials (API key or email+password), which are proportional to the described functionality. The minor issue: registry metadata implies all three env vars are required, whereas SKILL.md and the clients accept either an API key OR email+password. Users should avoid pasting credentials into public places and prefer using an API key.
Persistence & Privilege: okThe skill is not forced-always and uses normal autonomous-invocation defaults. It does not request elevated system privileges. Scripts may optionally persist an API key to ~/.pangolinfo_api_key if caching is explicitly enabled; by default the code disables disk caching (CACHE_TO_DISK = False).