ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx bible

v1.0.0

Fetch Bible verses, passages, and random scripture from bible-api.com — multiple translations supported

0· 51·0 current·0 all-time
byBruce Gutman@brucegutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description says it fetches scripture from bible-api.com, but the SKILL.md examples POST to https://gateway.pipeworx.io/bible/mcp. The 'Connect' snippet also instructs running 'npx mcp-remote@latest' against that gateway. Calling a third-party gateway (and encouraging running an npx client) is not clearly justified by the stated purpose of simply fetching verses from bible-api.com.
!
Instruction Scope
Instructions direct the agent/user to send JSON-RPC to a pipeworx gateway and include a recommended npx command. The skill does not ask for unrelated files or env vars, but the SKILL.md introduces a remote endpoint and a remote-executed client (via npx) that expand the runtime scope beyond a simple direct API call.
!
Install Mechanism
There is no formal install spec (instruction-only), which is low risk, but the provided 'Connect' example tells users to run 'npx -y mcp-remote@latest', which downloads and runs code from the npm registry at runtime. That enables arbitrary remote code execution if followed and is disproportionate for a simple Bible lookup wrapper.
Credentials
The skill declares only curl as a required binary and requests no environment variables or credentials — these requirements are minimal and appropriate for its stated function.
Persistence & Privilege
The skill is not always-enabled and does not request persistent/privileged presence. It does not declare any config paths or other skills' configuration access.
What to consider before installing
This skill is instruction-only and mostly benign-looking, but the SKILL.md points requests at a pipeworx gateway instead of the advertised bible-api.com and suggests running an npx-delivered MCP client (which downloads and executes code). Before installing or running it: 1) Confirm whether you trust gateway.pipeworx.io and why traffic would be routed through it instead of calling bible-api.com directly. 2) Avoid running the npx command until you inspect the mcp-remote package source (running npx executes code from the network). 3) If you only need plain Bible lookups, consider calling bible-api.com directly with curl (compare responses) or ask the maintainer to clarify why the gateway/npx client are necessary. 4) Do not include any sensitive credentials or data when testing, since requests will go through a third-party endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk971bwh0yahy0cn4ht72f3y2r184agxt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📖 Clawdis
Binscurl

Comments