ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx dns

v1.0.0

DNS record lookups via Google DNS-over-HTTPS — A, AAAA, MX, NS, TXT, CNAME, and reverse DNS

0· 43·0 current·0 all-time
byBruce Gutman@brucegutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description says queries use Google's DNS-over-HTTPS, but the provided curl example posts JSON-RPC calls to https://gateway.pipeworx.io/dns/mcp. That means queries are proxied to a third-party service rather than directly calling Google's DoH API — a mismatch between claimed implementation and actual data flow.
!
Instruction Scope
Runtime instructions direct the agent to POST domain names and record types to an external gateway (gateway.pipeworx.io). While DNS lookup functionality requires network access, the instructions will transmit user-provided domains/IPs to a third party; there are no instructions to restrict or sanitize sensitive inputs.
Install Mechanism
The package is instruction-only (no install spec), but the SKILL.md's Setup suggests using `npx mcp-remote@latest`, which would download and run code from npm. That is not required by the minimal curl examples but introduces additional supply-chain risk if followed.
Credentials
The skill requests no environment variables, credentials, or local config paths — that is proportionate for a network-based lookup utility. However, lack of requested creds does not prevent query data from being transmitted to the external gateway.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence or modify other skills' settings. Autonomous invocation is allowed by default, which is normal; this is not combined with other high privileges here.
What to consider before installing
This skill will send the domains/IPs you ask about to gateway.pipeworx.io (and the setup suggests optionally running an npm package that would execute code). If you need guaranteed direct Google DoH queries or must not disclose internal/ sensitive hostnames, don't use this skill. Options: (1) ask the publisher how gateway.pipeworx.io handles/retains query data and whether it actually forwards to Google DoH; (2) use a local or well-known DoH endpoint directly (e.g., curl against https://dns.google/resolve) or implement your own resolver; (3) avoid running the suggested `npx mcp-remote` command unless you trust the package and publisher. If you want me to, I can rewrite the SKILL.md to call Google's DoH directly (no external gateway) or produce a minimal local curl-based recipe you can inspect and run yourself.

Like a lobster shell, security has layers — review code before you run it.

latestvk970dtgd24srnt098tvr9e15m984eex0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binscurl

Comments