ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx trivia

v1.0.0

Trivia questions from the Open Trivia Database — 4,000+ questions across 24 categories with difficulty levels

0· 12·0 current·0 all-time
byBruce Gutman@brucegutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the actions shown (fetch trivia from an external API). The declared requirement (curl) is appropriate for the example curl usage. However the SKILL.md also includes an MCP config that invokes 'npx ... mcp-remote@latest', which implies a need for node/npx and remote package execution that is not listed in required binaries or installs.
!
Instruction Scope
Instructions direct POSTs to an external gateway (https://gateway.pipeworx.io/trivia/mcp) to fetch questions — expected for this skill. But the provided MCP config recommends running 'npx -y mcp-remote@latest <gateway>' which will download and execute code from the npm registry at runtime; the skill file does not make this explicit, nor does it declare node/npx as required. That introduces an implicit ability to run remotely fetched code if followed.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. The MCP config, however, demonstrates an install-time/action that would use npx to fetch and run mcp-remote@latest from npm (extract/execute on the fly). Because that step is presented as configuration example (not enforced by the skill metadata), it is optional but potentially risky if executed unvetted.
Credentials
The skill requests no environment variables, no credentials, and no config paths. For a trivia-fetching skill this is proportional and preferable — there is no apparent need for secret access.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (defaults). It does not request persistent system-level privileges or modifications to other skills. Autonomous model invocation is allowed by default but does not combine here with other high-risk factors.
What to consider before installing
This skill appears to do exactly what it says — fetch trivia from an external Pipeworx gateway — and it does not request any secrets. However: (1) the SKILL.md suggests using 'npx mcp-remote@latest' to connect to the gateway; running npx downloads and executes remote npm code, which can run arbitrary commands on your system. Only run the npx step if you trust the package and have reviewed it. (2) The declared requirements list curl but do not list node/npx; if you plan to follow the MCP config, ensure you have node/npx and audit the mcp-remote package first. (3) Confirm you are comfortable with sending queries to https://gateway.pipeworx.io and review the service privacy/policy on the homepage. If you want a lower-risk integration, use the curl examples only and avoid running npx or other remote installers.

Like a lobster shell, security has layers — review code before you run it.

latestvk972kh943keq5xk0z41mhmq1c584ba7j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
Binscurl

Comments