ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx econdata

v1.0.0

US economic indicators from the Bureau of Labor Statistics — unemployment, CPI, and employment by industry

0· 65·0 current·0 all-time
byBruce Gutman@b-gutman
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the actions described (fetch CPI, unemployment, employment by industry). Declared required binary is curl which is appropriate for the provided curl example, but the SKILL.md also instructs using `npx mcp-remote...` (node/npx) — that binary is not listed in the manifest, a mismatch between declared requirements and actual instructions.
!
Instruction Scope
Instructions direct the agent to POST JSON-RPC requests to https://gateway.pipeworx.io/econdata/mcp (proxy/gateway) and to register an MCP server via `npx`. The docs do not warn that query payloads (including any context the agent attaches) are sent to an external third-party endpoint, so running the tool may transmit user data to that service. The SKILL.md does not instruct reading local files or secrets, but it gives broad leeway to 'query any BLS time series' which could cause the agent to include extra conversational context in requests.
!
Install Mechanism
The package is instruction-only (no install spec), but the Setup section tells users/agents to run `npx -y mcp-remote@latest ...`, which will download and execute code from the npm registry at runtime. That runtime install step is not declared in the manifest (only curl listed). Using npx implies code will be fetched and executed from npm, which is a non-trivial install action and should be declared.
Credentials
No environment variables or credentials are requested in the manifest or SKILL.md. That is proportionate for a read-only data retrieval skill that doesn't require API keys. However, the external gateway may itself require or accept credentials in other deployments — none are declared here.
Persistence & Privilege
always is false and there are no config paths requested. Normal autonomous invocation is allowed (platform default). Combined with the ability to POST arbitrary payloads to an external gateway, autonomous invocation could cause outgoing requests without explicit user action — consider this when enabling autonomous use.
What to consider before installing
This skill appears to do what it says (fetch BLS data) but has two practical concerns you should consider before installing: (1) the SKILL.md expects you/agent to run `npx mcp-remote@latest ...` which will download and run code from npm — the manifest did not declare npx/node as a requirement; if you don't trust that package or the gateway, avoid running it. (2) API calls are routed through https://gateway.pipeworx.io; any request payload (including conversational context the agent may attach) will be sent to that external service. If you plan to use it, test with non-sensitive queries, confirm the gateway's privacy/trustworthiness, and require the skill author to declare the npx/node requirement and explicitly state how request data is handled.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📊 Clawdis
Binscurl
latestvk978np7ez6c16xjcde7386s98d84ftbs
65downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
Bruce Gutman@b-gutman
latest
Download

US Economic Data (BLS)

Access official US economic statistics from the Bureau of Labor Statistics. Pull unemployment rates, Consumer Price Index (CPI), and employment figures by industry. Query any BLS time series directly or use the convenience tools.

Tools

ToolDescription
get_seriesFetch any BLS time series by ID (e.g., "CUUR0000SA0" for CPI)
get_unemploymentCivilian unemployment rate (seasonally adjusted)
get_cpiConsumer Price Index for all urban consumers
get_employment_by_industryTotal nonfarm employment by industry sector

Scenarios

  • "What's the current US unemployment rate?" — call get_unemployment
  • Tracking inflation trends via CPI over a specific year range
  • Comparing employment growth across industries (healthcare, tech, manufacturing)
  • Building economic dashboards with official government data

Example: CPI for 2022-2024

curl -s -X POST https://gateway.pipeworx.io/econdata/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"get_cpi","arguments":{"start_year":"2022","end_year":"2024"}}}'

Returns monthly CPI values with period name, year, and value.

Setup

{
  "mcpServers": {
    "pipeworx-econdata": {
      "command": "npx",
      "args": ["-y", "mcp-remote@latest", "https://gateway.pipeworx.io/econdata/mcp"]
    }
  }
}

Comments

Loading comments...