ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx flood

v1.0.0

River discharge and flood forecasts for any location — up to 92 days ahead via Open-Meteo

0· 59·0 current·0 all-time
byBruce Gutman@b-gutman
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description state the skill uses Open‑Meteo, which is plausible, but the runtime example and MCP config send requests to https://gateway.pipeworx.io/flood/mcp rather than directly to Open‑Meteo. The MCP config also expects 'npx' (Node/npm) to run mcp-remote, yet the skill's declared required binaries list only 'curl'. Requiring a remote gateway proxy and an undeclared runtime (npx) is disproportionate to the simple stated purpose and is an incoherence.
!
Instruction Scope
The SKILL.md instructs the agent to POST user-supplied coordinates to a third‑party endpoint (gateway.pipeworx.io) and to configure an MCP remote using npx which will download and run code from npm at runtime. Those instructions cause user data (locations) to be transmitted to an external service and implicitly invoke remote code — neither of which is called out in the metadata. There is no guidance about what the gateway does with data or whether credentials are required.
!
Install Mechanism
There is no formal install spec, but the provided MCP config explicitly uses 'npx -y mcp-remote@latest', which would fetch and run code from the npm registry at runtime. That pattern is higher risk (remote package download and execution) and is not declared in the skill's requirements. The SKILL.md relies on runtime installation via npx without declaring Node/npx as required.
Credentials
The skill declares no required environment variables or credentials, which is consistent with a simple read-only forecast service. However, because it forwards requests to a third party (pipeworx gateway), it's unclear whether that gateway requires authentication or logs/transforms data. The lack of declared credentials is not malicious but reduces transparency about where location data will go.
Persistence & Privilege
No 'always: true' flag, no required config paths, and no declared persistence. The skill is user-invocable only and does not request elevated agent-wide privileges.
What to consider before installing
This skill forwards user-supplied coordinates to a third-party gateway (gateway.pipeworx.io) and the docs suggest using 'npx mcp-remote@latest' which would download and run code from npm at runtime — neither of which is clearly declared in the metadata. Before installing: (1) confirm you trust pipeworx.io and review its privacy/publishing policy (what it logs/retains); (2) ask the publisher why Open‑Meteo calls are proxied and request direct Open‑Meteo endpoints or transparency about the gateway's behavior; (3) note that Node/npx is implicitly required — avoid running npx mcp-remote unless you can inspect the package source or run in a sandbox; (4) do not send sensitive or private location coordinates until you verify the gateway's data handling; (5) if you prefer, implement direct calls to Open‑Meteo yourself using curl to avoid third‑party proxies.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🌊 Clawdis
Binscurl
latestvk9772n09ntf5dq2vykf3h4hfsh84ff8t
59downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
Bruce Gutman@b-gutman
latest
Download

Flood Forecasts

Get daily river discharge predictions for any location on Earth, up to 92 days into the future. The Open-Meteo Flood API provides discharge volumes in cubic meters per second, plus comprehensive forecasts with mean, median, and maximum discharge values.

Tools

  • get_river_discharge — Daily discharge forecast for a location (lat/lon). Default 7 days, max 92.
  • get_flood_forecast — Comprehensive forecast including mean, max, and additional discharge metrics. Default 16 days.

When this matters

  • Early warning systems for communities near rivers
  • Insurance and risk assessment for flood-prone areas
  • Agricultural planning that depends on river levels
  • Emergency preparedness — checking if a river near coordinates is expected to surge

Example: Danube river near Vienna

curl -s -X POST https://gateway.pipeworx.io/flood/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"get_flood_forecast","arguments":{"latitude":48.2082,"longitude":16.3738,"forecast_days":16}}}'

Returns daily discharge values with date and cubic meters per second.

MCP config

{
  "mcpServers": {
    "pipeworx-flood": {
      "command": "npx",
      "args": ["-y", "mcp-remote@latest", "https://gateway.pipeworx.io/flood/mcp"]
    }
  }
}

Comments

Loading comments...