Pangolinfo Scrape (Legacy)

ReviewAudited by ClawScan on May 10, 2026.

Overview

This appears to be a purpose-aligned Pangolin API client, but it sends your search/Amazon inputs to Pangolin and uses a persistent Pangolin credential token.

Install only if you trust Pangolin with the searches, Amazon URLs, and screenshots you request. Protect your Pangolin token/password, consider removing ~/.pangolin_token after use, and note that the docs appear to reference scripts/pangolin.py while the included script is scripts/pangolinfo.py.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

The skill can use your Pangolin account and credits; anyone who gains access to the cached token may be able to reuse that account access.

Why it was flagged

The code uses Pangolin account credentials or a bearer token and stores a local token cache. This is expected for the stated API purpose, but it is a sensitive account boundary.

Skill content

TOKEN_CACHE_PATH = Path.home() / ".pangolin_token" ... token = os.environ.get("PANGOLIN_TOKEN") ... email = os.environ.get("PANGOLIN_EMAIL") ... password = os.environ.get("PANGOLIN_PASSWORD")

Recommendation

Prefer a scoped Pangolin token over a password where possible, protect environment variables, and delete ~/.pangolin_token when you no longer want cached access.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Searches or product URLs you submit may leave your environment and count against your Pangolin account credits.

Why it was flagged

The skill sends user-supplied search terms, follow-up prompts, Amazon URLs, and optional screenshot requests to a third-party scraping API. This is purpose-aligned but exposes request content to that provider and may consume paid credits.

Skill content

Search Google and scrape Amazon programmatically via Pangolin APIs. Extract AI overviews, organic search results, Amazon product data, and page screenshots.

Recommendation

Avoid sensitive queries or URLs, review when screenshot/raw output is requested, and monitor Pangolin credit usage.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The documented commands may fail or confuse users about which script should be run.

Why it was flagged

The usage examples reference scripts/pangolin.py, while the provided manifest contains scripts/pangolinfo.py. This appears to be a packaging/documentation mismatch rather than malicious behavior.

Skill content

python3 scripts/pangolin.py --q "what is quantum computing" --mode ai-mode

Recommendation

Use the included scripts/pangolinfo.py file or ask the publisher to correct the documentation and metadata.