Pipeworx trivia
Security checks across malware telemetry and agentic risk
Overview
The skill appears to do what it says—fetch trivia from a disclosed service—though its optional MCP setup runs an unpinned npm package.
This looks appropriate for fetching public trivia. Before enabling the MCP configuration, make sure you are comfortable running an npm-based remote MCP bridge and consider pinning the mcp-remote package version instead of using @latest.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the MCP configuration is used, the local environment may download and run whatever version of mcp-remote is current at that time.
The optional MCP setup runs the latest version of an npm package through npx. This is common for MCP remote bridges, but the package version is not pinned and the npx dependency is not listed in the declared required binaries.
"command": "npx", "args": ["-y", "mcp-remote@latest", "https://gateway.pipeworx.io/trivia/mcp"]
Pin mcp-remote to a specific trusted version where possible, declare npx/node as a requirement, and only enable the MCP config if you trust the Pipeworx gateway and the npm package source.