Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pangolinfo Scrape (Legacy)
v1.0.1Search Google and scrape Amazon using Pangolin APIs. Supports AI Mode search (Google AI Overview with multi-turn dialogue), standard SERP with AI Overview ex...
⭐ 0· 256·1 current·1 all-time
byPangolinfo & AgentGo@tammy-hash
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description promise Google SERP and Amazon scraping via Pangolin APIs, and the included Python client calls scrapeapi.pangolinfo.com endpoints to do exactly that — capability aligns with purpose. However, registry metadata claims no required environment variables or primary credential, while SKILL.md and the script clearly require PANGOLIN_TOKEN or PANGOLIN_EMAIL+PANGOLIN_PASSWORD. That metadata omission is an incoherence and should be corrected/clarified.
Instruction Scope
SKILL.md and the script give explicit CLI usage and only instruct network calls to the Pangolin API endpoints, token caching, and JSON parsing. Instructions do not request unrelated system files or other credentials. The script writes a token cache (~/.pangolin_token) and uses environment variables; these actions are documented in SKILL.md and references.
Install Mechanism
No install spec (instruction-only with included Python script). No external downloads or package installs are performed. The script is zero-dependency (uses Python stdlib) so there is no hidden installer risk.
Credentials
Requiring PANGOLIN_TOKEN or PANGOLIN_EMAIL+PANGOLIN_PASSWORD is proportionate to authenticating against the external Pangolin API. The concern is that the registry metadata lists no required env vars (contradiction) and the skill will cache a bearer token in the user's home (~/.pangolin_token). If you provide email+password, those credentials are sent to the external auth endpoint; ensure you trust the service and prefer using a token over storing passwords in environment variables when possible.
Persistence & Privilege
The skill does not request 'always: true' or other elevated platform privileges. It caches a token to a file it owns (~/.pangolin_token) which is typical for CLI clients; it does not modify other skills or system-wide agent settings.
What to consider before installing
This package appears to implement the advertised Pangolin scraping functionality and the included Python client is readable and zero-dependency. However: (1) the registry metadata incorrectly lists no required environment variables — the script needs PANGOLIN_TOKEN or PANGOLIN_EMAIL + PANGOLIN_PASSWORD. Treat that mismatch as a red flag and ask the publisher/registry to correct it. (2) The script will send your email/password to https://scrapeapi.pangolinfo.com/auth to obtain a bearer token and will save the token at ~/.pangolin_token (file permissions set to 600). Prefer providing an existing PANGOLIN_TOKEN rather than your account password. (3) The source/homepage is unknown; verify the publisher and the legitimacy of scrapeapi.pangolinfo.com before supplying credentials. (4) If you decide to install/use it, run it in a restricted environment (or inspect/run the script manually) and consider creating a dedicated Pangolin account or short‑lived token so you don't expose your primary credentials.Like a lobster shell, security has layers — review code before you run it.
ai-overviewvk975r506xe8h9xgjtprmthxet982e1xwamazonvk975r506xe8h9xgjtprmthxet982e1xwecommercevk975r506xe8h9xgjtprmthxet982e1xwgooglevk975r506xe8h9xgjtprmthxet982e1xwlatestvk97c9x3j6b41p254be7g57a2zx83g9dclegacyvk97c9x3j6b41p254be7g57a2zx83g9dcpangolinfovk975r506xe8h9xgjtprmthxet982e1xwredirectvk97c9x3j6b41p254be7g57a2zx83g9dcscrapingvk975r506xe8h9xgjtprmthxet982e1xwsearchvk975r506xe8h9xgjtprmthxet982e1xwserpvk975r506xe8h9xgjtprmthxet982e1xw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.