ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx npm

v1.0.0

npm MCP — wraps the npm Registry API (free, no auth)

0· 68·0 current·0 all-time
byBruce Gutman@b-gutman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for b-gutman/pipeworx-npm.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipeworx npm" (b-gutman/pipeworx-npm) from ClawHub.
Skill page: https://clawhub.ai/b-gutman/pipeworx-npm
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipeworx-npm

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipeworx-npm
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (wrapping the npm Registry API via a remote MCP) matches the provided connect instruction (mcp-remote pointing at gateway.pipeworx.io). However, the SKILL.md expects the agent to run 'npx' but the registry metadata lists no required binaries — that mismatch is an unexplained omission.
!
Instruction Scope
Runtime instructions tell the agent to run 'npx -y mcp-remote@latest https://gateway.pipeworx.io/npm/mcp'. This causes dynamic download and execution of a package and a live connection to an external gateway; the skill does not specify what data will be sent or how the gateway behaves, so the agent could transmit sensitive context to an external service.
!
Install Mechanism
There is no formal install spec, but the connect step uses npx to run mcp-remote@latest. Fetching and executing '@latest' from the public npm registry is a supply-chain risk (upstream could change). While npm is a well-known host, using an unpinned 'latest' and automatic install ('-y') increases attack surface.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However, because it invokes a remote service, it may forward agent context or other runtime data — the SKILL.md does not document what is transmitted, so it's unclear whether this is safe.
Persistence & Privilege
always is false and there's no indication the skill alters other skills or system-wide settings. Autonomous invocation is allowed (platform default); combined with executing remote code, that increases potential impact but is not by itself a policy violation.
What to consider before installing
This skill is coherent with its stated purpose but has notable risks you should weigh before installing: it expects 'npx' at runtime (but doesn't declare that requirement), and it runs 'mcp-remote@latest' which downloads and executes code from npm and connects to https://gateway.pipeworx.io — that can change upstream or exfiltrate data. Consider asking the author to: (1) declare required binaries (npx), (2) pin a specific package version instead of @latest, (3) provide the mcp-remote source repo and a description of what data the gateway receives, and (4) allow manual review of the mcp-remote package before enabling. If you must use it now, run it in an isolated environment, avoid giving it sensitive context, and consider disabling autonomous invocation until you've audited the remote package and gateway behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ymwhg9474tfgd93xjhqhe184rqew
68downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Bruce Gutman@b-gutman
latest
Download

pipeworx-npm

npm MCP — wraps the npm Registry API (free, no auth). Free, no API key. Part of Pipeworx.

Tools

  • search_packages
  • get_package
  • get_downloads

Connect

{
  "mcpServers": {
    "pipeworx-npm": {
      "command": "npx",
      "args": ["-y", "mcp-remote@latest", "https://gateway.pipeworx.io/npm/mcp"]
    }
  }
}

More at pipeworx.io/packs/npm

Comments

Loading comments...