← 返回 Skills 市场

Pangolinfo Amazon Scraper

Name: Pangolinfo Amazon Scraper
Author: liuyu020923

作者 liuyu020923 · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ⚠ suspicious

121

总下载

当前安装

版本数

在 OpenClaw 中安装

/install pangolin-amazon-scraper

功能描述

Scrape Amazon product data using Pangolin APIs. Use this skill when the user wants to: look up Amazon products by ASIN, search Amazon by keyword, check bests...

安全使用建议

This skill appears to do what it says (talk to Pangolin's scrape API) but take these precautions before installing or using it: 1) Verify the source — there is no homepage and the registry metadata omits the required env vars; confirm you trust the publisher or inspect the included scripts yourself. 2) Be aware it will ask for your Pangolin API key (or email+password) and will cache a permanent token at ~/.pangolin_api_key. If you are uncomfortable with a long-lived token stored in your home directory, do not provide credentials. 3) Avoid copying credentials directly into shell history. Prefer setting PANGOLIN_API_KEY in the session environment and let the script save it (then unset the env vars), or create the cache file via a secure method (use a secure editor, echo redirected from a file descriptor, or a secrets manager). 4) Consider creating a limited/test Pangolin account or API key with minimal credits before supplying real credentials. 5) If you proceed, review the scripts/pangolin.py file yourself (it is included) to confirm endpoints, behavior, and that nothing unexpected is transmitted. 6) Ask the publisher for a homepage/repository and more provenance if you need higher assurance. If you want, I can point out the exact lines in scripts/pangolin.py that perform caching and network calls and suggest safer ways to provide credentials.

功能分析

Type: OpenClaw Skill Name: pangolin-amazon-scraper Version: 1.0.2 The skill bundle provides a functional client for the Pangolin Amazon Scraper API but employs high-risk patterns for credential management. Specifically, SKILL.md instructs the AI agent to execute shell commands (e.g., using echo to write to ~/.pangolin_api_key) with user-provided input, which creates a shell injection vulnerability. While the Python script (scripts/pangolin.py) includes basic security measures like restricted file permissions (chmod 600), the overall approach of directing an agent to perform filesystem and environment modifications via shell interpolation is risky, even if intended for legitimate setup purposes.

能力评估

ℹ Purpose & Capability

Name/description and the shipped code align: the skill calls Pangolin's scrape API (scrapeapi.pangolinfo.com) to fetch Amazon data and supports the advertised parsers/features. Requiring a Pangolin API key or email/password is coherent with the stated purpose. However, the registry metadata lists no required environment variables while SKILL.md and the script clearly require PANGOLIN_API_KEY or PANGOLIN_EMAIL + PANGOLIN_PASSWORD — a metadata/documentation mismatch.

⚠ Instruction Scope

SKILL.md explicitly instructs the agent to collect credentials from the user and to write/cache the API key at ~/.pangolin_api_key; it also recommends running the bundled script to authenticate. Those instructions grant the skill the ability to persist secrets to the user's home directory and to run local commands, which is within the skill's purpose but is sensitive and deserving of caution. The suggested 'echo "<api_key>" > ~/.pangolin_api_key' approach can leave secrets in shell history on some setups despite the doc's claim that it 'avoids shell history entirely.'

✓ Install Mechanism

No install spec (instruction-only) and the included Python script is zero-dependency and uses only the stdlib. No external downloads or archive extraction are performed by the skill itself. This is low-risk from an install mechanism perspective.

⚠ Credentials

The skill legitimately needs a Pangolin credential, which is proportionate to its purpose. However, the metadata claims no required env vars while both SKILL.md and the script require/expect PANGOLIN_API_KEY or PANGOLIN_EMAIL+PANGOLIN_PASSWORD. The script will permanently cache the API key in the user's home directory (~/.pangolin_api_key) and will accept live email/password (which it uses to obtain a persistent token). Permanently storing a token in the home directory and treating tokens as 'permanent' increases risk if the user is not fully informed.

ℹ Persistence & Privilege

The skill does not request always:true and does not modify other skills. It does persist credentials locally by design (caching API key at ~/.pangolin_api_key and attempts to set restrictive file permissions). That persistence is expected for convenience but is a privileged, long-lived artifact the user should consent to.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install pangolin-amazon-scraper
安装完成后，直接呼叫该 Skill 的名称或使用 /pangolin-amazon-scraper 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

- The environment variable for using an API key changed from PANGOLIN_TOKEN to PANGOLIN_API_KEY. - API key is now cached to ~/.pangolin_api_key instead of ~/.pangolin_token after authentication. - All documentation, examples, and setup flows have been updated to reflect the new API key variable and cache file paths. - No other functional or breaking changes noted.

v1.0.1

- Documentation updated to use the term "API key" instead of "API Token" or "token" for improved terminology consistency. - Instructions and setup guide in SKILL.md revised to match the Pangolin dashboard naming—for example, "API Key" replaces "API Token" throughout. - No changes to the core script logic detected; changes focused on language, labels, and minor doc refinements.

v1.0.0

pangolinfo-amazon-scraper 1.0.0 - Initial release of skill for scraping Amazon product data via Pangolin APIs. - Supports product detail lookup by ASIN, keyword search, bestsellers/new releases, review retrieval, seller research, price comparison, and category browsing across 13 Amazon regions. - Includes full multilingual usage documentation (English/Chinese), environment setup, and secure authentication walkthrough. - Requires Pangolin API account and token, with interactive setup guide and automated token caching for easy re-use. - Provides detailed instructions for executing the Python script and mapping user intents to Pangolin API commands.

元数据

Slug pangolin-amazon-scraper

版本 1.0.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题

Pangolinfo Amazon Scraper 是什么？

Scrape Amazon product data using Pangolin APIs. Use this skill when the user wants to: look up Amazon products by ASIN, search Amazon by keyword, check bests... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 121 次。

如何安装 Pangolinfo Amazon Scraper？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install pangolin-amazon-scraper」即可一键安装，无需额外配置。

Pangolinfo Amazon Scraper 是免费的吗？

是的，Pangolinfo Amazon Scraper 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Pangolinfo Amazon Scraper 支持哪些平台？

Pangolinfo Amazon Scraper 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Pangolinfo Amazon Scraper？

由 liuyu020923（@liuyu020923）开发并维护，当前版本 v1.0.2。