Back to skill
Skillv1.0.0
ClawScan security
Pipeworx art · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 7, 2026, 5:14 PM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill claims to talk to the Met's open API but relies on an external Pipeworx gateway and an npx-installed remote helper (not declared), which creates a risk of running unreviewed remote code and is inconsistent with the declared requirements.
- Guidance
- This pack appears to provide Met Museum data, but it routes calls through an external Pipeworx gateway and recommends using 'npx -y mcp-remote@latest' — which will download and execute code from npm at runtime. Before installing: (1) confirm you trust https://gateway.pipeworx.io and the pipeworx project; (2) verify the mcp-remote package source (review its code/release) and add Node/npx to declared requirements; (3) consider requiring the skill to call the Met's official API (collectionapi.metmuseum.org) directly if you prefer no third-party proxy; (4) run this skill in a sandboxed environment or restrict agent permissions if you allow it; (5) if you are unsure about executing remote npm packages, do not enable autonomous invocation or avoid installing the skill.
Review Dimensions
- Purpose & Capability
- concernThe description says it connects to the Met's open-access API, but the runtime example and setup point to https://gateway.pipeworx.io/art/mcp (a proxy/gateway) rather than the Met's official endpoints. The SKILL.md's Setup also instructs using npx to run mcp-remote, yet 'npx' / Node is not listed in the required binaries — a clear mismatch between claimed dependencies and actual instructions.
- Instruction Scope
- concernInstructions include POSTing JSON-RPC calls to a third-party gateway and recommend configuring an mcpServer that will run 'npx -y mcp-remote@latest https://gateway.pipeworx.io/art/mcp'. That effectively instructs the agent/runtime to fetch and execute code from npm and to use a remote service as the tool backend. The SKILL.md does not instruct reading local files or secrets, but it does delegate runtime behavior to an external, unreviewed component.
- Install Mechanism
- concernThere is no formal install spec, but the Setup suggests invoking npx to fetch and run mcp-remote@latest from npm. Using npx downloads and executes package code at runtime from the public registry — moderate-to-high risk if the package or the gateway is untrusted. The Skill fails to declare Node/npx as a required binary, which is inconsistent and could cause unnoticed remote code execution.
- Credentials
- noteThe skill declares no required environment variables or credentials, which is proportionate for a read-only art catalog. However, because it routes requests through a third-party gateway and a remote npm tool, additional implicit network access and potential token use could occur but are not declared.
- Persistence & Privilege
- concernalways is false (good), but autonomous model invocation is allowed (default). Combined with the setup that causes the agent/runtime to fetch and run mcp-remote from npm and to send JSON-RPC to an external gateway, this increases the blast radius: the agent could autonomously run unvetted remote code and communicate with a third-party service.