Back to skill
Skillv1.0.0
ClawScan security
Pipeworx nutrition · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 13, 2026, 9:10 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill claims to be a thin Open Food Facts wrapper but its instructions tell the agent to run npx to fetch and execute a remote npm package (mcp-remote@latest) from a Pipeworx gateway while the metadata omits that requirement — this enables arbitrary remote code execution and is disproportionate to the stated purpose.
- Guidance
- This skill's README tells the agent to run 'npx -y mcp-remote@latest https://gateway.pipeworx.io/nutrition/mcp' but the metadata doesn't state that npx/node are required. Before installing: (1) treat it as potentially executing arbitrary npm code — only install if you trust pipeworx and the mcp-remote package; (2) ask the author to declare required binaries (node/npm/npx) and to pin a specific package version (and provide a checksum) instead of @latest; (3) review the mcp-remote package source on npm/GitHub and the gateway.pipeworx.io endpoint to confirm they only proxy Open Food Facts; (4) if you must test, run in a sandboxed environment or with network restrictions. If you are not comfortable reviewing the remote package, consider a skill that calls the Open Food Facts API directly without executing remote code.
Review Dimensions
- Purpose & Capability
- concernThe description says it wraps the Open Food Facts API (no auth). The SKILL.md Connect block requires running 'npx ... mcp-remote@latest https://gateway.pipeworx.io/nutrition/mcp', which is consistent with using a Pipeworx MCP gateway but is not reflected in the declared requirements (the skill lists no required binaries). Omitting the need for npx/node is an incoherence.
- Instruction Scope
- concernThe instructions tell the agent to execute an npx command that will download and run code from npm and connect to an external gateway. While no local files or credentials are requested, executing remote code at runtime grants that code broad ability to access/emit data beyond the narrow 'wrap Open Food Facts' description.
- Install Mechanism
- concernThere is no install spec in the registry, but the runtime Connect uses npx to fetch 'mcp-remote@latest' from the npm registry. Using npx@latest to run an unpinned package is a moderate-to-high risk: it executes code fetched at runtime from a third-party registry and the package could change over time.
- Credentials
- okThe skill declares no environment variables, credentials, or config-path access and the SKILL.md does not request any additional secrets. That aspect is proportionate to the stated purpose.
- Persistence & Privilege
- notealways is false (good). Autonomous invocation is allowed (the platform default). Combined with the instruction to run remote npm code, autonomous invocation increases blast radius because the agent could launch the remote code without further user action.