ClawHub

Pipeworx geo

v1.0.0

Geographic utilities — geocoding, reverse geocoding, country info, timezone lookup, and sunrise/sunset times

0· 56·0 current·0 all-time
byBruce Gutman@b-gutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the instructions: the SKILL.md shows curling a Pipeworx gateway to perform geocoding, reverse geocoding, timezone, country and sunrise/sunset lookups. Requiring only curl is proportionate.
Instruction Scope
Runtime instructions call the external API at https://gateway.pipeworx.io/geo/mcp (example curl). That's expected for a remote geo service, but it means user queries and any contained data are transmitted to that third-party endpoint. The MCP config also suggests invoking 'npx mcp-remote@latest', which would fetch and run remote npm code — this appears in docs but is not required by the skill's declared requirements.
Install Mechanism
No install spec and no code files — lowest disk footprint. The only potential install action shown is an optional npx command in the MCP config (not a declared install requirement). If used, npx would download code from the npm registry (moderate risk) but the skill itself does not mandate this.
Credentials
No environment variables, credentials, or config paths are requested. This aligns with the SKILL.md claim that the underlying APIs are free and require no keys.
Persistence & Privilege
Skill does not request always:true or any persistent system-wide privileges. It is user-invocable and can be invoked autonomously by the agent (platform default), which is expected for skills.
Assessment
This skill appears to do what it says: it sends geolocation requests to a Pipeworx gateway and returns results. Before using it, consider: (1) do not send secrets or sensitive PII in queries — those will be transmitted to gateway.pipeworx.io; (2) the MCP example suggests running 'npx ...' which would download and execute remote npm code — only run that if you trust the source; (3) if you require fully local lookups or stronger privacy guarantees, prefer a local tool or a provider you control. If you need greater assurance, ask the publisher for details about data retention, privacy policy, and the exact upstream APIs used.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fcycwwwn28sfw91ek4qh51184f0ke

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📍 Clawdis
Binscurl

Comments