← Back to Skills Marketplace
Pangolinfo Amazon Scraper
by
liuyu020923
· GitHub ↗
· v1.0.2
· MIT-0
121
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install pangolin-amazon-scraper
Description
Scrape Amazon product data using Pangolin APIs. Use this skill when the user wants to: look up Amazon products by ASIN, search Amazon by keyword, check bests...
Usage Guidance
This skill appears to do what it says (talk to Pangolin's scrape API) but take these precautions before installing or using it: 1) Verify the source — there is no homepage and the registry metadata omits the required env vars; confirm you trust the publisher or inspect the included scripts yourself. 2) Be aware it will ask for your Pangolin API key (or email+password) and will cache a permanent token at ~/.pangolin_api_key. If you are uncomfortable with a long-lived token stored in your home directory, do not provide credentials. 3) Avoid copying credentials directly into shell history. Prefer setting PANGOLIN_API_KEY in the session environment and let the script save it (then unset the env vars), or create the cache file via a secure method (use a secure editor, echo redirected from a file descriptor, or a secrets manager). 4) Consider creating a limited/test Pangolin account or API key with minimal credits before supplying real credentials. 5) If you proceed, review the scripts/pangolin.py file yourself (it is included) to confirm endpoints, behavior, and that nothing unexpected is transmitted. 6) Ask the publisher for a homepage/repository and more provenance if you need higher assurance. If you want, I can point out the exact lines in scripts/pangolin.py that perform caching and network calls and suggest safer ways to provide credentials.
Capability Analysis
Type: OpenClaw Skill
Name: pangolin-amazon-scraper
Version: 1.0.2
The skill bundle provides a functional client for the Pangolin Amazon Scraper API but employs high-risk patterns for credential management. Specifically, SKILL.md instructs the AI agent to execute shell commands (e.g., using echo to write to ~/.pangolin_api_key) with user-provided input, which creates a shell injection vulnerability. While the Python script (scripts/pangolin.py) includes basic security measures like restricted file permissions (chmod 600), the overall approach of directing an agent to perform filesystem and environment modifications via shell interpolation is risky, even if intended for legitimate setup purposes.
Capability Assessment
Purpose & Capability
Name/description and the shipped code align: the skill calls Pangolin's scrape API (scrapeapi.pangolinfo.com) to fetch Amazon data and supports the advertised parsers/features. Requiring a Pangolin API key or email/password is coherent with the stated purpose. However, the registry metadata lists no required environment variables while SKILL.md and the script clearly require PANGOLIN_API_KEY or PANGOLIN_EMAIL + PANGOLIN_PASSWORD — a metadata/documentation mismatch.
Instruction Scope
SKILL.md explicitly instructs the agent to collect credentials from the user and to write/cache the API key at ~/.pangolin_api_key; it also recommends running the bundled script to authenticate. Those instructions grant the skill the ability to persist secrets to the user's home directory and to run local commands, which is within the skill's purpose but is sensitive and deserving of caution. The suggested 'echo "<api_key>" > ~/.pangolin_api_key' approach can leave secrets in shell history on some setups despite the doc's claim that it 'avoids shell history entirely.'
Install Mechanism
No install spec (instruction-only) and the included Python script is zero-dependency and uses only the stdlib. No external downloads or archive extraction are performed by the skill itself. This is low-risk from an install mechanism perspective.
Credentials
The skill legitimately needs a Pangolin credential, which is proportionate to its purpose. However, the metadata claims no required env vars while both SKILL.md and the script require/expect PANGOLIN_API_KEY or PANGOLIN_EMAIL+PANGOLIN_PASSWORD. The script will permanently cache the API key in the user's home directory (~/.pangolin_api_key) and will accept live email/password (which it uses to obtain a persistent token). Permanently storing a token in the home directory and treating tokens as 'permanent' increases risk if the user is not fully informed.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It does persist credentials locally by design (caching API key at ~/.pangolin_api_key and attempts to set restrictive file permissions). That persistence is expected for convenience but is a privileged, long-lived artifact the user should consent to.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pangolin-amazon-scraper - After installation, invoke the skill by name or use
/pangolin-amazon-scraper - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- The environment variable for using an API key changed from PANGOLIN_TOKEN to PANGOLIN_API_KEY.
- API key is now cached to ~/.pangolin_api_key instead of ~/.pangolin_token after authentication.
- All documentation, examples, and setup flows have been updated to reflect the new API key variable and cache file paths.
- No other functional or breaking changes noted.
v1.0.1
- Documentation updated to use the term "API key" instead of "API Token" or "token" for improved terminology consistency.
- Instructions and setup guide in SKILL.md revised to match the Pangolin dashboard naming—for example, "API Key" replaces "API Token" throughout.
- No changes to the core script logic detected; changes focused on language, labels, and minor doc refinements.
v1.0.0
pangolinfo-amazon-scraper 1.0.0
- Initial release of skill for scraping Amazon product data via Pangolin APIs.
- Supports product detail lookup by ASIN, keyword search, bestsellers/new releases, review retrieval, seller research, price comparison, and category browsing across 13 Amazon regions.
- Includes full multilingual usage documentation (English/Chinese), environment setup, and secure authentication walkthrough.
- Requires Pangolin API account and token, with interactive setup guide and automated token caching for easy re-use.
- Provides detailed instructions for executing the Python script and mapping user intents to Pangolin API commands.
Metadata
Frequently Asked Questions
What is Pangolinfo Amazon Scraper?
Scrape Amazon product data using Pangolin APIs. Use this skill when the user wants to: look up Amazon products by ASIN, search Amazon by keyword, check bests... It is an AI Agent Skill for Claude Code / OpenClaw, with 121 downloads so far.
How do I install Pangolinfo Amazon Scraper?
Run "/install pangolin-amazon-scraper" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Pangolinfo Amazon Scraper free?
Yes, Pangolinfo Amazon Scraper is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Pangolinfo Amazon Scraper support?
Pangolinfo Amazon Scraper is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Pangolinfo Amazon Scraper?
It is built and maintained by liuyu020923 (@liuyu020923); the current version is v1.0.2.
More Skills