ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx amplitude

v1.0.0

Retrieve and analyze user events, active counts, retention, and profiles in Amplitude with detailed date-range and granularity options.

0· 76·0 current·0 all-time
byBruce Gutman@brucegutman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for brucegutman/pipeworx-amplitude.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipeworx amplitude" (brucegutman/pipeworx-amplitude) from ClawHub.
Skill page: https://clawhub.ai/brucegutman/pipeworx-amplitude
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipeworx-amplitude

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipeworx-amplitude
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's purpose is Amplitude analytics, but instead of declaring Amplitude API keys or an official Amplitude endpoint it references a third-party gateway (https://gateway.pipeworx.io/amplitude/mcp). Legitimately querying Amplitude normally requires credentials; those are not requested or explained.
!
Instruction Scope
SKILL.md defines RPC-like actions (amp_get_events, amp_user_search, etc.) and includes a JSON block pointing the agent to an external MCP server. That directs the agent to send event/identity queries (potentially including PII) to pipeworx.io — the instructions are vague about what data is transmitted, who owns the gateway, or how authentication is handled.
Install Mechanism
No install spec and no code files are present, so nothing is written to disk by the skill itself. This lowers risk from arbitrary installs.
!
Credentials
No environment variables or credentials are declared despite needing access to Amplitude data. This is inconsistent: either the gateway holds credentials (not disclosed) or the agent must transmit user credentials at runtime — both scenarios require explicit disclosure and justification.
Persistence & Privilege
Skill is not always-enabled and does not request elevated persistence or modifications to other skills or system-wide settings.
Scan Findings in Context
[no-regex-findings] expected: Scanner found no code or regex matches; this is expected because the skill is instruction-only (SKILL.md only). Absence of findings does not imply safety.
What to consider before installing
Before installing, ask the publisher these questions and take these steps: 1) Who operates https://gateway.pipeworx.io and where are requests logged/stored? 2) How does authentication to Amplitude work—does the gateway hold org credentials, or will you be asked to provide them? 3) What exact data will be transmitted to the gateway (events, user identifiers, emails)? Avoid sending PII until you have clear answers. 4) Prefer official integrations that call Amplitude endpoints directly or run in your controlled environment; demand source code or a homepage to verify. 5) If you must test, do so with a non-production Amplitude project and no real user identifiers, and review network logs and privacy policies. If the publisher cannot clearly justify the external gateway and data flows, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bc8tbps9h5jfy9k9tycasrd85bbgf
76downloads
0stars
1versions
Updated 5d ago
v1.0.0
MIT-0
Bruce Gutman@brucegutman
latest
Download

Amplitude

Amplitude MCP Pack

amp_get_events

Get event counts and breakdowns for a date range (e.g., "2024-01-01" to "2024-01-31"). Returns frequ

amp_get_active_users

Get active user counts by granularity (daily, weekly, or monthly) for a date range. Returns totals a

amp_get_retention

Get user retention metrics for a cohort over time. Returns retention percentages by time period (e.g

amp_user_search

Search for users by ID or property (e.g., email, user_id). Returns matching profiles with properties

amp_get_user_activity

Get recent event activity timeline for a specific user. Returns events with timestamps, properties,

{
  "mcpServers": {
    "amplitude": {
      "url": "https://gateway.pipeworx.io/amplitude/mcp"
    }
  }
}

Comments

Loading comments...