ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx iplookup

v1.0.0

IP Lookup MCP — ip-api.com (free, no auth for basic usage)

0· 58·0 current·0 all-time
byBruce Gutman@brucegutman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for brucegutman/pipeworx-iplookup.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipeworx iplookup" (brucegutman/pipeworx-iplookup) from ClawHub.
Skill page: https://clawhub.ai/brucegutman/pipeworx-iplookup
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipeworx-iplookup

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipeworx-iplookup
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description says 'IP Lookup — ip-api.com (free, no auth)', which implies simple HTTP lookups. However the SKILL.md's Connect block instructs running 'npx -y mcp-remote@latest https://gateway.pipeworx.io/iplookup/mcp' to contact a Pipeworx gateway. The declared requirements list no binaries or credentials, but the runtime instructions require npx/node. Requiring an npm-executed remote component is disproportionate to a plain IP geolocation lookup and is not explained in the metadata.
!
Instruction Scope
The instructions tell the agent to fetch and execute a remote npm package (mcp-remote@latest) which will connect to https://gateway.pipeworx.io/iplookup/mcp. That implies user data (IP addresses and possibly surrounding context) would be sent to an external gateway rather than directly to ip-api.com. The SKILL.md gives no details about what the remote package does, what data it sends, or privacy/retention, so scope and data flows are unclear and broader than advertised.
!
Install Mechanism
There is no declared install spec, but the Connect snippet relies on npx to fetch and run the latest mcp-remote package from npm at runtime. Fetching and executing 'latest' from the public npm registry is a moderate-to-high risk pattern (the package content can change, and arbitrary code will run). The gateway URL is a third-party endpoint (gateway.pipeworx.io) rather than a well-known release host for binaries; this elevates risk because arbitrary remote code and network traffic are introduced at runtime.
Credentials
The skill requests no environment variables or credentials, which is proportionate for a lookup service. However, it fails to declare required runtime tooling (npx/node) despite requiring npx in its connection command—this omission is a practical mismatch rather than a credentials risk.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. Autonomous invocation is allowed (the platform default) but by itself is not a new red flag. The main concern is the combination of autonomous invocation with runtime execution of third-party npm code and external network connections.
What to consider before installing
This skill's metadata promises simple ip-api.com lookups, but its runtime instructions tell the agent to run 'npx -y mcp-remote@latest' to connect to a Pipeworx gateway—meaning it will download and execute code from npm and send queries to an external server. Before installing, verify the following: (1) Ask the publisher for source code or an explicit install spec so you can inspect what mcp-remote does and what data it transmits. (2) Confirm you are comfortable with running an npm 'latest' package at runtime (consider pinning to a specific vetted version). (3) If you only need raw ip-api.com lookups, prefer a skill that calls ip-api.com directly (no remote code execution). (4) If you proceed, run it in a sandboxed environment and review network traffic to confirm only intended IP queries are sent and no extra data is exfiltrated.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a4c0hm69z803yb2m59shjpx84rc42
58downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Bruce Gutman@brucegutman
latest
Download

pipeworx-iplookup

IP Lookup MCP — ip-api.com (free, no auth for basic usage). Free, no API key. Part of Pipeworx.

Tools

  • geolocate_ip
  • batch_geolocate

Connect

{
  "mcpServers": {
    "pipeworx-iplookup": {
      "command": "npx",
      "args": ["-y", "mcp-remote@latest", "https://gateway.pipeworx.io/iplookup/mcp"]
    }
  }
}

More at pipeworx.io/packs/iplookup

Comments

Loading comments...