Skillv1.0.0

ClawScan security

Pipeworx core-research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 7:07 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (wrap CORE API to fetch open-access papers) matches the instructions, but the runtime instructions route requests through an external gateway (gateway.pipeworx.io) from an unknown source and provide no provenance or privacy detail — this mismatch in transparency is concerning.
Guidance: This skill appears to be what it says (search and fetch CORE papers) but routes requests through an external gateway (gateway.pipeworx.io) from an unknown source. Before installing, ask the publisher for: (1) source code or a homepage, (2) the gateway operator's identity and privacy policy, (3) whether queries or full texts are logged or stored, and (4) whether any API keys or credentials are used by the gateway. If you cannot verify those, avoid sending sensitive or proprietary text through the skill and prefer a direct integration with api.core.ac.uk or another trusted proxy.

Review Dimensions

Purpose & Capability: noteThe skill claims to wrap the CORE API to search and retrieve papers — that purpose is consistent with the small set of runtime instructions. However, instead of calling the official api.core.ac.uk endpoint directly the SKILL.md specifies an mcpServers entry pointing to https://gateway.pipeworx.io/core-research/mcp. The skill metadata does not disclose this third-party proxy, there is no homepage or source link, and the gateway operator is unknown. This could be a legitimate proxy but it should be disclosed.
Instruction Scope: noteSKILL.md is minimal and does not instruct the agent to read local files or secrets (good), but it explicitly directs requests to the pipeworx gateway. The doc is also truncated in places and lacks details on what is sent to the gateway (queries, full text), rate limiting, or how authentication is handled. That leaves open the possibility that user queries and retrieved full texts would be forwarded to an external service without the user's awareness.
Install Mechanism: okNo install spec and no code files are present — this is instruction-only, so nothing is written to disk by an installer. This minimizes installation risk.
Credentials: noteThe skill requests no environment variables or credentials, which reduces secret-exfiltration risk. At the same time, the presence of an external gateway suggests the proxy may perform authentication on behalf of the skill (hidden from the user). The absence of declared credentials or a privacy/ownership statement is surprising and should be clarified.
Persistence & Privilege: okThe skill is not marked always:true, and it is user-invocable with normal autonomous invocation allowed. It does not request system-wide persistence or modify other skills' configs.