ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx mhw

v1.0.0

MHW MCP — Monster Hunter World data (mhw-db.com, free, no auth)

0· 60·0 current·0 all-time
byBruce Gutman@b-gutman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for b-gutman/pipeworx-mhw.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipeworx mhw" (b-gutman/pipeworx-mhw) from ClawHub.
Skill page: https://clawhub.ai/b-gutman/pipeworx-mhw
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipeworx-mhw

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipeworx-mhw
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Stated purpose is to provide MHW data (mhw-db). That capability can legitimately use a remote connector, but the skill declares no required binaries or install steps while the instructions rely on 'npx' and a remote package — an inconsistency.
!
Instruction Scope
SKILL.md tells the agent to run 'npx -y mcp-remote@latest https://gateway.pipeworx.io/mhw/mcp', which will download and execute code and contact an external gateway. This goes beyond simply fetching public API data and gives broad runtime discretion to execute remote package code.
!
Install Mechanism
There is no formal install spec, yet the instructions rely on npx to pull 'mcp-remote@latest' from npm at runtime. Unpinned, dynamic installs from npm introduce supply-chain risk; the absence of an explicit requirement for 'npx' is also an incoherence.
Credentials
The skill declares no environment variables or credentials and the described data source is public, so requested secrets would be disproportionate. No hidden env access was observed in SKILL.md.
Persistence & Privilege
always is false and the skill does not request permanent presence or modify other skills. Autonomous invocation is allowed (default) but not combined with other high privileges here.
What to consider before installing
This skill likely does what it says (fetch MHW data), but the runtime step executes a remote npm package via npx and connects to gateway.pipeworx.io — that can run arbitrary code and network requests. Before installing: 1) Confirm you have/allow 'npx' and understand that it will fetch 'mcp-remote@latest'; 2) Prefer a pinned package version and a verifiable checksum or an explicit install spec rather than 'latest'; 3) Review the mcp-remote package source or ask the author to provide a vendored/package-managed install; 4) If you proceed, run it in a restricted/sandboxed environment and avoid supplying any secrets. If the publisher can explain why 'npx' wasn't listed in required binaries and can provide a pinned, reproducible install, the risk would be much lower.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bb876394002r1yr9hytw1gh84shfh
60downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Bruce Gutman@b-gutman
latest
Download

pipeworx-mhw

MHW MCP — Monster Hunter World data (mhw-db.com, free, no auth). Free, no API key. Part of Pipeworx.

Tools

  • get_monsters
  • get_weapons
  • get_armor
  • get_skills

Connect

{
  "mcpServers": {
    "pipeworx-mhw": {
      "command": "npx",
      "args": ["-y", "mcp-remote@latest", "https://gateway.pipeworx.io/mhw/mcp"]
    }
  }
}

More at pipeworx.io/packs/mhw

Comments

Loading comments...