Back to skill
Skillv1.0.0
ClawScan security
Pipeworx wikiviews · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 12:33 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and behavior are internally consistent: it is an instruction-only wrapper that calls a third‑party Pipeworx endpoint to return Wikipedia pageview data.
- Guidance
- This skill calls a third-party API at gateway.pipeworx.io to fetch Wikipedia pageview data. That behavior is consistent with its description, but consider privacy and trust: any text you submit (article titles, date ranges, or surrounding conversation context the agent includes) will be sent to that external service. If you care about sensitive data, avoid using the skill or test it first with non-sensitive queries. If possible, verify the publisher or endpoint (homepage, docs, or ownership of the gateway.pipeworx.io domain) before enabling autonomous invocation, and ensure your environment/network policy allows calls to that host.
Review Dimensions
- Purpose & Capability
- okThe name and description promise Wikipedia pageview data and the SKILL.md documents concrete RPC/HTTP calls to an external wikiviews gateway; there are no unrelated environment variables, binaries, or install steps requested.
- Instruction Scope
- noteThe runtime instructions instruct the agent to POST JSON to https://gateway.pipeworx.io/wikiviews/mcp (example curl provided). This is expected for a remote API-based data provider, but it means user queries and any context the agent includes will be sent to that third-party endpoint.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is written to disk and no external packages are fetched during install.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There are no disproportionate secret requests relative to the described functionality.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; autonomous invocation is allowed (platform default). This combined with the external endpoint is normal for a data-provider skill but means the agent may send prompts/inputs to the remote service when invoked.