ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipelinegate

v1.0.0

Chain Green Helix tools into multi-step pipelines. Define a sequence of steps (scan-text, scan-skill, check-scope, validate, diff, check-env, convert) and Pi...

0· 42·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the code: this is a local pipeline engine that calls existing 'products.*' detectors and extractors. However, the skill imports several internal product modules (products.promptguard, products.skillscan, products.scopecheck) which are external dependencies not declared in SKILL.md or registry metadata; if those modules are missing the service will fail. Overall capabilities are coherent with the description but rely on internal product libraries.
Instruction Scope
SKILL.md instructs launching a uvicorn API and POSTing step payloads — consistent with the FastAPI app. The code implements expected tools, but there are subtle scope items: the 'check-env' tool programmatically inspects the host process environment (os.environ) and reports which requested env var names are present/absent; SKILL.md does not explicitly call out that probing behavior. The 'check-scope' tool returns detected filesystem paths and network URLs extracted from provided SKILL.md content (it does not itself read files or access network resources).
Install Mechanism
SKILL.md metadata shows a pip-style install of common Python packages (fastapi, uvicorn, pydantic, pyyaml, jsonschema). Registry install shows an id/kind 'uv' which is unusual but the SKILL.md itself lists pip packages. Installing via pip from PyPI is expected for a Python web app (moderate risk) but requires network access and will write packages to disk. No arbitrary URL downloads or extract-from-unknown-host signs were observed.
!
Credentials
The skill declares no required env vars, yet the code can inspect os.environ when you invoke the 'check-env' tool and will report which requested variable names are present. That lets callers probe whether specific environment variables exist on the host (it does not return variable values, only presence). Because the service opens an HTTP API, if that API is reachable by others it could be used to remotely probe which env names exist on the host. This capability is functionally related to a 'check-env' tool but represents a potential information-leak risk and should be documented and constrained.
Persistence & Privilege
The skill does not request persistent/autoload privileges (always:false). It does not modify other skills' configs or system-wide settings. It runs as a local web server when started by the user; its runtime privileges are the privileges of the user running the process.
What to consider before installing
This skill appears to implement the pipeline functionality it claims, but review these points before installing or exposing it: - Local server and environment probing: The server exposes a /v1/run API that can invoke a 'check-env' step which checks for the existence of supplied environment variable names (it returns which names are present or missing). While it doesn't return secret values, this lets callers probe the host environment. Run the server only on localhost or behind an access control mechanism and avoid exposing it to untrusted networks. - Dependency and install mismatch: SKILL.md requests pip packages (fastapi, uvicorn, pydantic, pyyaml, jsonschema). Registry metadata shows an unusual 'uv' id/kind; confirm your install system maps that to pip. The code also imports internal 'products.*' modules that must exist in your environment; otherwise the service will fail. Review/confirm availability of those product libraries. - Minor functional inconsistencies: The tools registry description claims conversion includes TOML but exec_convert only supports JSON and YAML; the SKILL.md doesn't state the 'check-env' probing explicitly. These are implementation mismatches (likely bugs) — confirm behavior before relying on the tool. - Run safely: If you test it, run in an isolated environment (container or VM) and bind uvicorn to 127.0.0.1. Inspect logs and network exposure. If you need to allow remote access, add authentication or restrict access to trusted hosts. If you want, I can point out the exact lines where environment probing and the JSON/YAML/TOML mismatch occur, or produce a minimal wrapper that starts the server bound to localhost only.

Like a lobster shell, security has layers — review code before you run it.

latestvk970es7rbqp5r4zerh6kpctwfh84ss13

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⛓️ Clawdis
Binspython

Install

uv

Comments