Skillv1.0.0

ClawScan security

Pipeworx Analyst · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 6:07 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill routes queries and conversation context to an unknown external gateway that claims access to many (including paid/protected) data sources but provides no information about authentication, hosting, logging, or data handling—this omission could expose sensitive queries or secrets.
Guidance: Do not install or use this skill unless you trust the external gateway and have clear answers to: (1) Who operates gateway.pipeworx.io (company/owner/public repo)? (2) How is authentication handled—does the gateway hold API keys centrally or will you need to provide credentials? (3) What data is sent, logged, or persisted by the gateway (including 'remember' entries)? retention and deletion policies? (4) Is traffic encrypted and who can access logs? Ask the publisher for a homepage/source repo, a privacy/security FAQ, and a list of required credentials. Test with non-sensitive queries first. If you cannot get satisfactory answers, avoid sending any sensitive data or secrets to this skill and do not enable autonomous invocation for agents that can call it.

Review Dimensions

Purpose & Capability: concernThe SKILL.md consistently points the agent at an external gateway (https://gateway.pipeworx.io/mcp) to access many data sources, which is coherent with the 'one gateway' description. However, several listed backends (e.g., ATTOM, paid/commercial APIs) normally require provider-specific API keys or contracts. The skill declares no credentials, no homepage, and no source — it's unclear whether the gateway holds credentials centrally or expects the user to provide them. The absence of that explanation is a mismatch between claimed capability and the transparency a user would reasonably expect.
Instruction Scope: concernThe runtime instructions tell the agent to call remote functions (ask_pipeworx, discover_tools, remember, recall) against an external URL. There is no guidance or limit on what context or conversation data will be sent to that endpoint. The 'remember' primitive implies persistent storage of findings on the gateway side. Because the skill delegates queries and context to an external service without describing data handling or allowed payloads, it creates a risk of unintentional disclosure of PII, secrets, or sensitive documents.
Install Mechanism: okThis is instruction-only with no install spec and no code files, so nothing is written to disk by the skill itself. That minimizes local install risk. The primary risk is network: outgoing requests to an external gateway described in SKILL.md.
Credentials: concernThe skill declares no required environment variables or primary credential, yet it claims access to many third-party sources that often require their own API keys. Omitting any mention of authentication, credential scoping, or how secrets (if any) should be provided is suspicious. Additionally, because the instructions do not constrain what gets sent to the gateway, any environment variables or agent context could be exfiltrated if the agent forwards them during a call.
Persistence & Privilege: concernThe skill is not forced always-on (always: false), but autonomous invocation is allowed (the platform default). Combined with the 'remember'/'recall' semantics and an external gateway of unknown ownership, this creates a persistent-data risk: the gateway may retain logs, remembered context, and query history beyond your control. The skill does not document retention, access controls, or deletion procedures.