ClawHub

Pipeworx cocktails

v1.0.0

Cocktail recipes from TheCocktailDB — search by name, browse by ingredient, or discover a random drink

0· 55·0 current·0 all-time
byBruce Gutman@brucegutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the behavior: it calls a cocktail API and exposes search/get/random operations. Declared required binary (curl) is appropriate and no unrelated secrets or paths are requested.
Instruction Scope
SKILL.md stays on-topic: it shows how to call the gateway endpoints and how to use the tool methods. It does not instruct reading local files, unrelated env vars, or exfiltrating data. The MCP client example does instruct using npx to run a remote helper, which is an optional client convenience rather than required runtime behavior.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. However the MCP client config example uses 'npx mcp-remote@latest', which will fetch and execute code from the npm registry at runtime if used — this is an ancillary risk to be aware of though not required to use the skill (you can call the gateway with curl as shown).
Credentials
No environment variables, credentials, or config paths are requested. The lack of secrets is proportional to a read-only recipe lookup service.
Persistence & Privilege
The skill is not marked always:true and does not request persistent or cross-skill configuration. Model invocation is not disabled (normal default).
Assessment
This skill appears to do exactly what it claims: query a cocktail database via pipeworx.io and return recipes. No credentials are needed. Two things to consider before installing: (1) the skill calls a third-party gateway (gateway.pipeworx.io) — if you have privacy or network restrictions, be aware requests go to that domain; (2) the included MCP client example uses 'npx' which will download and execute a remote npm package if you run it — you can avoid that by using the provided curl examples or by inspecting the package before running. If those two points are acceptable, the skill is coherent and proportionate to its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk977s396cwga48vdprxb15jrzs84dwmh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🍸 Clawdis
Binscurl

Comments