ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx nvd

v1.0.0

NVD MCP — wraps the NIST National Vulnerability Database API (free, no auth)

0· 45·0 current·0 all-time
byBruce Gutman@brucegutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description says it wraps the NIST NVD (no auth) but the SKILL.md's Connect block instructs running 'npx ... mcp-remote@latest' to reach https://gateway.pipeworx.io/nvd/mcp. A direct NVD wrapper would be expected to call NIST endpoints directly — requiring an npm package and a third‑party gateway is not justified by the stated purpose.
!
Instruction Scope
The only runtime instruction is to run npx to download and execute mcp-remote and connect to gateway.pipeworx.io. That directs the agent to execute remote code and contact a third‑party service rather than directly calling the public NVD API; it also implicitly requires the npx/node runtime even though no binaries were declared.
!
Install Mechanism
Although there is no explicit install spec, the SKILL.md uses npx to fetch 'mcp-remote@latest' at runtime. This dynamically pulls and runs code from the npm registry with an unpinned 'latest' version and no integrity check — a moderate-to-high installation risk because arbitrary code will be executed.
Credentials
The skill declares no environment variables or credentials, which is consistent with a public NVD wrapper. However, it still routes requests through a third‑party gateway (gateway.pipeworx.io), which could observe or collect queries and responses even though no credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system configuration or higher privileges. Autonomous invocation is allowed (platform default) but not combined with other privilege-escalating flags.
What to consider before installing
This skill's description (a simple NVD wrapper) does not match its runtime instruction to run 'npx -y mcp-remote@latest' and connect to gateway.pipeworx.io. That will download and execute code from npm and send your queries through a third party. Before installing: (1) confirm why a gateway and remote npm package are required instead of calling nvd.nist.gov directly; (2) ask for a pinned package version and integrity/hash rather than 'latest'; (3) inspect the mcp-remote package source or run it in an isolated environment; and (4) avoid using it with sensitive data unless you trust gateway.pipeworx.io. If you cannot verify those, treat the skill as potentially unsafe.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ahv3c70mk1e5cqah19z76dd84rdnn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments