ClawHub

Pipeworx mathjs

v1.0.0

Math.js MCP — wraps the mathjs.org API (free, no auth)

0· 45·0 current·0 all-time
byBruce Gutman@b-gutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (wrap mathjs.org) is plausible, but the SKILL.md expects the agent to run 'npx mcp-remote@latest' to connect to https://gateway.pipeworx.io/mathjs/mcp. The registry metadata declares no required binaries, yet the runtime connect block implicitly requires 'npx' (and network access). That mismatch is an incoherence to be aware of.
!
Instruction Scope
The instructions instruct the agent to execute an external npm package (mcp-remote@latest) via npx and connect to an external gateway. That means user queries/inputs will be sent to a third-party service and arbitrary code from the npm package will run at runtime. The SKILL.md does not explicitly declare these data flows or the need for npx.
!
Install Mechanism
There is no install spec, but the connect command uses 'npx ...@latest', which will fetch and execute code from the npm registry at runtime. Using the 'latest' tag (unpinned) increases supply-chain risk because the package contents can change between runs.
Credentials
The skill requests no environment variables, credentials, or file paths — which is proportionate to a read-only math wrapper. However, because it forwards data to an external service, the service could receive sensitive input if the agent forwards it.
Persistence & Privilege
The skill does not request always:true and has no install that forces persistent system-wide changes. Autonomous invocation is allowed (the platform default) but not combined here with elevated privileges.
What to consider before installing
This skill will cause your agent to run 'npx mcp-remote@latest' and connect to https://gateway.pipeworx.io/mathjs/mcp at runtime. If you install it, be aware that: (1) 'npx' must be available but the skill metadata doesn't declare that requirement, (2) unpinned 'latest' pulls code from npm each run (supply-chain risk), and (3) anything you send to the skill will be forwarded to an external service and could be logged or observed. Before installing, consider: pinning the package version, reviewing the mcp-remote package source and gateway privacy/security policy, avoiding sending secrets or private data to the skill, or using a local mathjs implementation instead of executing remote code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dttqgtqqzng9kzwp44wpcw984syqm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments