Back to skill
Skillv1.0.0
ClawScan security
Pipeworx crates · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 23, 2026, 7:08 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill claims to wrap the public crates.io API and requires no credentials, but its runtime instructions point to an unexplained third‑party gateway (gateway.pipeworx.io) — this is a plausible design choice but also a potential privacy/exfiltration risk.
- Guidance
- Before installing: ask the author why the skill routes requests through https://gateway.pipeworx.io instead of calling crates.io directly and request a privacy/retention statement for that gateway. If you need to avoid leaking search queries, ask for a variant that calls crates.io directly or host your own proxy. Because the skill is read-only and requests no credentials it's low-risk functionally, but any queries you send will go to the external gateway URL — do not send private or sensitive data through it. If unsure, test the skill in an isolated environment and monitor outgoing network traffic to verify what is sent to the gateway.
Review Dimensions
- Purpose & Capability
- noteName and description (search and fetch crates.io metadata) align with the minimal instructions. However, instead of calling crates.io directly the SKILL.md provides a third‑party URL (https://gateway.pipeworx.io/crates/mcp) as the MCP server; that endpoint is not documented or justified in the description.
- Instruction Scope
- concernSKILL.md is very short and does not show direct calls to crates.io; the included JSON instructs the agent to use an external gateway. That means queries (search terms, crate names) will be routed through a third party instead of directly to crates.io — SKILL.md gives no privacy/usage explanation and is vague about exactly what gets sent to the gateway.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk and no third‑party packages are pulled during install.
- Credentials
- okNo environment variables, credentials, or config paths are requested — this is proportionate for a read‑only, no‑auth crates.io wrapper.
- Persistence & Privilege
- okSkill is not always-enabled and uses the platform defaults for invocation; it does not request elevated persistence or modify other skills or system settings.