ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx carbon

v1.0.0

UK national carbon intensity data — real-time, historical, and generation mix from the Carbon Intensity API

0· 49·0 current·0 all-time
byBruce Gutman@brucegutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description claims data comes from the official Carbon Intensity API (carbonintensity.org.uk) but the SKILL.md examples and setup use gateway.pipeworx.io and an MCP remote endpoint. A simple carbon-intensity query would not require a third‑party gateway or an npx remote connector; the use of Pipeworx is not documented or justified.
!
Instruction Scope
Instructions demonstrate POSTing JSON-RPC to gateway.pipeworx.io and instruct configuring an MCP server that runs `npx ... mcp-remote@latest` to connect to that gateway. That means runtime traffic and potentially agent context will be sent to a third party and the agent operator will execute remote npm code — neither of which is described or bounded in the pack.
!
Install Mechanism
There is no formal install spec, but SKILL.md's recommended setup uses `npx` to fetch and run `mcp-remote@latest` from npm. Running npx against an arbitrary package is a supply-chain risk (code pulled and executed at runtime) and is not declared in the skill's install metadata.
Credentials
The skill declares no required environment variables or credentials — that's proportional to a read-only public API. However, because it routes requests through Pipeworx, it's unclear whether the gateway expects/collects additional secrets or agent context; the SKILL.md does not disclose what data the gateway receives.
Persistence & Privilege
The skill is not always-enabled and doesn't request elevated platform privileges. Still, the suggested MCP configuration will run an npx-installed connector that may persist as a service/daemon (MCP remote) and maintain a long-lived connection to the Pipeworx gateway; this is not spelled out.
What to consider before installing
Before installing: (1) Confirm whether Pipeworx is intentionally acting as a proxy for the official Carbon Intensity API — ask the publisher to explicitly state what gateway does and why it's needed. (2) Treat the suggested `npx mcp-remote@latest` step as a supply-chain and remote-execution risk: inspect the package (or avoid running it) and run it only in an isolated environment. (3) Assume requests and any sent agent context may be visible to gateway.pipeworx.io — do not send secrets or sensitive data. (4) Prefer a version that calls the official carbonintensity.org.uk API directly (curl against the official endpoints) or provide a vetted install artifact hosted on a known release page. If you cannot verify Pipeworx ownership/policies and the mcp-remote package contents, consider not installing or contacting the skill owner for clarification.

Like a lobster shell, security has layers — review code before you run it.

latestvk971aq73rdt5v7kn0tjp1g8ar584c468

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌱 Clawdis
Binscurl

Comments