ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx animequotes

v1.0.0

AnimeQuotes MCP — wraps animechan.io (free, no auth)

0· 50·0 current·0 all-time
byBruce Gutman@brucegutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: SKILL.md tells the agent to call a Pipeworx JSON-RPC gateway that proxies animechan.io. Required binary declared is curl, which is sufficient for the provided curl examples. However, the MCP Client Config snippet uses 'npx' to run mcp-remote@latest but 'npx' is not listed in required binaries — a mismatch that should be justified or corrected.
Instruction Scope
Instructions are narrowly scoped to making HTTP POSTs to https://gateway.pipeworx.io/animequotes/mcp and listing/calling tools. The document does not instruct the agent to read local files, environment secrets, or unrelated system paths.
!
Install Mechanism
There is no install spec (instruction-only), which is low risk. But the provided MCP Client Config recommends 'npx -y mcp-remote@latest', which implies dynamically downloading and executing code from the npm registry. That pattern can execute arbitrary code if used as-is — it is not a direct install required by the skill but is presented as the official client config and represents an install-time risk.
Credentials
No environment variables, credentials, or config paths are requested. This is proportionate to a public, no-auth gateway wrapper.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges or modify other skill configurations. Autonomous invocation is allowed (default) but that is expected for skills and is not by itself a concern here.
What to consider before installing
This skill appears to just proxy a public anime quotes API and needs only curl for the curl examples. Before installing or using it: (1) be cautious about using the suggested 'npx -y mcp-remote@latest' line — that will fetch and execute code from npm; prefer a pinned version, inspect the package, or avoid npx if you don't trust it. (2) Understand that requests go to gateway.pipeworx.io (not directly to animechan.io), so any data you send in queries is visible to that third party. (3) If you need to run the MCP client, prefer an audited/pinned package release or run curl commands shown in SKILL.md instead. (4) Consider asking the publisher for a declared requirement for 'npx' (or removing the npx example) to resolve the mismatch.

Like a lobster shell, security has layers — review code before you run it.

latestvk9771xkzh2f46crpytb5qhw6j184bp6f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binscurl

Comments