ClawHub

Pipeworx zippopotam

v1.0.0

ZIP and postal code lookup — get place names, states, and coordinates for postal codes in 60+ countries

0· 60·0 current·0 all-time
byBruce Gutman@brucegutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the behavior in SKILL.md: the skill performs postal/ZIP lookups via HTTP to a Pipeworx gateway. Required tool is curl, which is appropriate and proportionate for making the provided example requests. No unrelated binaries, environment variables, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to POST JSON-RPC requests to https://gateway.pipeworx.io/zippopotam/mcp to call lookup_zipcode and lookup_city. The instructions do not ask the agent to read local files or unrelated environment variables. However, all query data (postal codes, city names, potentially user-supplied address fragments) will be sent to a third-party service; the MCP config example also suggests running npx to create a remote connection. Both are expected for a remote API-backed skill but are worth noting from a privacy/security perspective.
Install Mechanism
There is no formal install spec (instruction-only), which is lowest risk. The included MCP config example references using npx to run mcp-remote@latest, which will fetch and execute code from npm at runtime. That is not part of an explicit install spec in the registry but does create a runtime code-download surface (moderate risk) if used.
Credentials
The skill declares no required environment variables or credentials. That is proportionate for a simple lookup service and matches the instructions. No suspicious credential or config access is requested.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide changes. The MCP config can be used to configure a remote bridge, but that is optional example configuration rather than a forced persistent privilege.
Assessment
This skill appears to do what it says: it sends postal-code or city queries to a Pipeworx gateway and returns results. Before installing/using it: (1) confirm you trust the endpoint (https://gateway.pipeworx.io) because queries will be transmitted there; avoid sending sensitive PII in lookups; (2) be cautious about the provided MCP config—using the npx example downloads and runs code (mcp-remote@latest) from npm at runtime—if you need that functionality, prefer auditing a fixed package version or preinstalling a vetted package; (3) if you operate in a restricted environment, consider firewalling or sandboxing outbound requests to that gateway; (4) if you want higher assurance, ask the author for an explicit install artifact or review the mcp-remote implementation and Pipeworx privacy policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk977j3rs76kww67s2bd65bm9ex84bpdv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📬 Clawdis
Binscurl

Comments