ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx stackexchange

v1.0.0

Search and retrieve questions and answers from any StackExchange site, including StackOverflow, ServerFault, SuperUser, and more.

0· 40·0 current·0 all-time
byBruce Gutman@brucegutman
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to search and retrieve StackExchange content and the SKILL.md shows exactly that functionality. However, instead of calling the official StackExchange API, the instructions call a third‑party endpoint (https://gateway.pipeworx.io/stackexchange/mcp). Using a proxy is a plausible design choice but it's not documented in the description or metadata, so the reliance on an external gateway is worth flagging.
!
Instruction Scope
Runtime instructions explicitly POST JSON-RPC queries (including question text) to gateway.pipeworx.io. The instructions do not read local files or env vars, but they do send user-provided query text to an external server. That external call can leak any sensitive content the agent includes in queries and is outside the expected target (api.stackexchange.com).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk and there is no package install risk.
Credentials
The skill requires no environment variables, credentials, or config paths. There is no request for unrelated secrets. The main proportionality concern is network exfiltration of query content to the external gateway rather than misuse of local credentials.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges. Autonomous invocation is allowed (platform default); combined with the external network calls this means the agent could call the gateway automatically, which raises privacy considerations but is not a privilege escalation by itself.
What to consider before installing
This skill functions by forwarding your search queries to a third‑party gateway (gateway.pipeworx.io) rather than directly to StackExchange. That means anything you send (including code snippets, private queries, or contextual data the agent attaches) could be logged or inspected by the gateway operator. If you care about privacy or confidentiality, do not use this skill until you verify the gateway operator's trustworthiness and data-handling policy, or prefer a skill that calls the official StackExchange API (api.stackexchange.com) or a self-hosted proxy. Also consider whether automatic (autonomous) invocation is acceptable, because the agent could send queries to the gateway without an extra confirmation. If you want to proceed, ask the skill publisher for documentation about gateway ownership, retention/policy, and TLS/certificate provenance, or request a version that uses the official API or a trusted endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b5ppnybvzc9b9eh0xpj4ek584tmg2
40downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
Bruce Gutman@brucegutman
latest
Download

StackExchange

Search questions and retrieve answers from StackOverflow, ServerFault, SuperUser, Ask Ubuntu, Math, Physics, and any other StackExchange site.

search_questions

Search for questions on any StackExchange site. Returns the question title, body (HTML), score, answer count, tags, link, and view count. Default site is stackoverflow but you can pass any site slug.

get_answers

Get all answers for a question by its numeric ID. Returns the answer body, score, whether it's the accepted answer, author name, and author reputation.

curl -X POST https://gateway.pipeworx.io/stackexchange/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"search_questions","arguments":{"query":"async await best practices","site":"stackoverflow","limit":3}}}'

Supported sites

Pass any site slug: stackoverflow, serverfault, superuser, askubuntu, math, physics, gaming, dba, security, unix, and hundreds more.

{
  "mcpServers": {
    "stackexchange": {
      "url": "https://gateway.pipeworx.io/stackexchange/mcp"
    }
  }
}

Comments

Loading comments...