Pinata API
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Pinata API reference skill, but it uses a sensitive Pinata JWT and exposes account-changing file, group, gateway, signature, vectorization, and payment-related API actions.
Install only if you are comfortable giving the agent a Pinata JWT. Prefer a dedicated, least-privilege token; confirm destructive actions like deletes; carefully review signed links, gateway access, and x402 payment instructions before allowing the agent to create or change them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, an agent with the Pinata JWT could delete or modify hosted files, groups, signatures, or other Pinata account resources.
The skill exposes destructive Pinata API operations. This is expected for a file-management API skill, but deleting remote files is a high-impact action that should be user-approved and scoped.
### Delete File
```
DELETE https://api.pinata.cloud/v3/files/{network}/{id}
```Use a least-privilege Pinata API key where possible and require explicit confirmation before delete, update, signed URL, or payment-related operations.
Incorrect payment instructions or amounts could affect how users charge for content or interact with USDC-based payment flows.
The skill includes payment-related API functionality. This is disclosed and aligned with the description, but payment configuration is financially sensitive and should not be performed automatically.
Create payment instructions for monetizing IPFS content using the x402 protocol with USDC on Base.
Review payment amounts, network, contract address, recipient details, and expiration/access settings before allowing the agent to create or change payment instructions.
Anyone or any agent workflow using this token may be able to read, upload, modify, or delete Pinata resources permitted by the token.
The skill requires a Pinata JWT for authenticated API access. This is necessary for the integration, but it gives the agent delegated authority over the user's Pinata account resources.
Authorization: Bearer $PINATA_JWT
Create a dedicated, least-privilege Pinata API key for this skill, avoid sharing broad admin tokens, and revoke or rotate the token if it is exposed.
Sensitive uploaded content may become searchable or reusable through the Pinata vector-search workflow if the user chooses to use that feature.
The skill advertises vector search/vectorization functionality, which may involve storing or retrieving derived representations of uploaded content. This is purpose-aligned, but users should be mindful when vectorizing private or sensitive files.
perform AI-powered vector search
Only vectorize files intended for that workflow, understand Pinata's retention and access controls, and avoid uploading sensitive content unless the account and gateway settings are appropriate.