Skillv1.0.0

ClawScan security

Pipeworx movies · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 6:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (wrapping public movie/TV APIs) is plausible, but the runtime instructions tell the agent to fetch and execute remote code via npx (mcp-remote@latest) against gateway.pipeworx.io without declaring that requirement or pinning the package — this is a meaningful security and provenance risk.
Guidance: This skill appears to do what it claims (wrap public movie/TV APIs) but the runtime instructions ask the agent to run npx to fetch and execute mcp-remote@latest against gateway.pipeworx.io. That means code will be downloaded and run from the network and can change over time. Before installing: (1) confirm you trust the pipeworx.io gateway and the mcp-remote npm package author; (2) prefer a pinned package version instead of @latest; (3) ensure npx/Node availability is acceptable and explicitly declared; (4) consider reviewing the mcp-remote package source and gateway behavior, or run the skill in a sandboxed environment; (5) note that although no credentials are requested, a malicious remote package could attempt to read or transmit local environment data, so avoid running it with sensitive secrets present.

Review Dimensions

Purpose & Capability: noteThe skill claims to wrap iTunes Search and TVmaze (both public, no-auth APIs). The provided connect snippet (npx mcp-remote ... gateway.pipeworx.io) is consistent with providing a remote MCP proxy for those APIs. However, the SKILL.md does not declare that the agent needs npx/Node available, which is a mismatch between stated requirements and actual runtime needs.
Instruction Scope: concernSKILL.md instructs the agent to run npx to download and execute mcp-remote@latest pointed at a remote gateway URL. That means arbitrary code will be fetched from npm and executed locally and the agent will communicate with gateway.pipeworx.io. The instructions do not ask for unrelated local files or secrets, but they do enable remote code execution and outbound network calls, which expands the skill's runtime capabilities beyond a simple API wrapper.
Install Mechanism: concernThere is no formal install spec, but the connect snippet relies on npx to fetch and run mcp-remote@latest from npm at runtime. Download-and-execute via npx (especially using @latest) is a moderate-to-high risk install mechanism because it executes remotely-sourced code whose exact contents can change and whose provenance may be unclear.
Credentials: okThe skill declares no environment variables, credentials, or config paths and the instructions do not request local secrets. This is proportionate to the claimed purpose (public, no-auth APIs). Note: running external packages may still access environment data if the package is malicious, but no envs are requested by the skill itself.
Persistence & Privilege: okalways is false and there is no request to modify other skills or system-wide settings. The skill does instruct transient execution of an external package but does not request permanent presence or elevated platform privileges.