ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx hackernews

v1.0.0

Search and browse Hacker News — top stories, keyword search via Algolia, and individual item lookup

0· 63·0 current·0 all-time
byBruce Gutman@brucegutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the functionality (search HN, top stories, fetch items). However, instead of calling Algolia or the Firebase API directly, the example and 'Connect' guidance route requests through https://gateway.pipeworx.io and via an npx-launched mcp-remote. That is a reasonable design choice (a remote wrapper) but it is not reflected in the metadata (no remote endpoint declared) and the SKILL.md claims direct use of Algolia/Firebase while providing only a Pipeworx gateway example.
!
Instruction Scope
Runtime instructions (example curl and the 'Connect' block) instruct the agent to POST user queries to gateway.pipeworx.io/mcp. This will transmit user query text and any arguments to an external service (privacy risk). The SKILL.md does not instruct reading local files or extra env vars, but it omits mention of npx/node even though the Connect snippet requires running npx mcp-remote@latest.
Install Mechanism
Instruction-only skill with no install spec and no code files — low installation risk. The only declared required binary is curl which is consistent with the provided curl example.
Credentials
The skill requests no environment variables or credentials, which is appropriate. However, it relies on an external gateway (pipeworx) to process queries; there is no declared env var or configuration pointing to that gateway, and the Connect snippet requires npx/node even though npx is not listed in required binaries.
Persistence & Privilege
always is false and there is no install-time persistence or modification of other skill settings. The skill does not request elevated or permanent presence.
What to consider before installing
This skill seems to be a wrapper that sends your search queries to an external Pipeworx gateway rather than calling Algolia/Firebase directly. Before installing, consider whether you trust pipeworx.io to receive the text of your searches and any item IDs you fetch. Note the SKILL.md's "Connect" snippet uses `npx mcp-remote@latest` but the metadata only lists curl as a required binary — you may need node/npx if you plan to use that connection method. If you need stronger privacy or want to avoid sending queries to a third party, prefer a skill that calls Algolia/Firebase directly or confirm Pipeworx's privacy policy and the gateway's behavior (what they log/retain). If you proceed, test with non-sensitive queries first and verify network endpoints and their owners.

Like a lobster shell, security has layers — review code before you run it.

latestvk9788fqntvwmcz947rp34g2swx84e24c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📰 Clawdis
Binscurl

Comments