Security audit

Pipeworx mathjs

Security checks across malware telemetry and agentic risk

Overview

This is a simple remote math MCP connector; the main caution is that calculations go through Pipeworx and an npm bridge.

Install only if you are comfortable sending math expressions and unit-conversion inputs to Pipeworx through the mcp-remote npm bridge. Avoid using it for secrets, personal data, or sensitive business calculations, and consider pinning the bridge version if reproducibility matters.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The skill instructs users to connect to a remote MCP server via `npx mcp-remote@latest https://gateway.pipeworx.io/mathjs/mcp` but does not clearly warn that using the skill sends requests over the network to a third-party service. This can mislead users into treating the tool as local-only and may expose prompts, inputs, or metadata to an external operator, which is a real transparency and privacy risk even though the described functionality is only math evaluation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal