ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx Govcon Analyst

v1.0.0

Analyze federal government contracting data from SAM.gov, USAspending, and SBIR to profile contractors, find opportunities, and assess agency spending.

0· 71·0 current·0 all-time
byBruce Gutman@brucegutman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for brucegutman/pipeworx-govcon-analyst.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipeworx Govcon Analyst" (brucegutman/pipeworx-govcon-analyst) from ClawHub.
Skill page: https://clawhub.ai/brucegutman/pipeworx-govcon-analyst
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipeworx-govcon-analyst

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipeworx-govcon-analyst
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and listed tools (SAM.gov, USAspending, SBIR data and related search/profile functions) are consistent with each other. There are no declared env vars, binaries, or config paths that are unrelated to the stated purpose.
!
Instruction Scope
The SKILL.md includes an MCP server config that points to https://gateway.pipeworx.io/mcp?task=govcon%20analysis and instructs the agent to use compound tools (ask_pipeworx) and memory functions (remember/recall). Those instructions cause runtime data and queries to be sent to a third-party gateway, but the skill provides no explanation of what is sent, how it is authenticated, or how data is stored/retained — creating a potential data-exfiltration and privacy risk.
Install Mechanism
No install spec or code files are present; the skill is instruction-only and performs no local installation. This minimizes on-disk risk.
Credentials
The skill requests no environment variables or credentials. That could be legitimate if the external gateway handles auth, but the absence of declared credentials or an explanation of auth means you cannot verify where or how any API keys or PII would be provided or stored. The instructions also encourage using agent memory (remember/recall), which persists data and could store sensitive results.
Persistence & Privilege
always is false (normal). The skill is allowed to be invoked autonomously (disable-model-invocation false) which is the platform default. Combined with the external gateway reference, autonomous invocation increases the blast radius because the agent can send data to an external service without additional prompts.
What to consider before installing
This skill appears to implement the govcon analysis features it advertises, but it routes runtime queries and any saved memory to an external Pipeworx gateway (gateway.pipeworx.io) that is not documented in the registry metadata. Before installing: (1) verify the skill's author and the gateway's ownership and privacy/retention policy, (2) ask whether and how queries, uploaded documents, and agent memory are stored or logged, (3) avoid sending secrets or sensitive PII through the skill until you confirm the endpoint and authentication model, (4) consider disabling autonomous invocation for this skill or testing it in a sandboxed environment, and (5) request the SKILL implementation/source or run a local/self-hosted MCP if you require full control over data flow.

Like a lobster shell, security has layers — review code before you run it.

latestvk972y9yr98c2k47m21xgbkdj8n85a7kc
71downloads
0stars
1versions
Updated 5d ago
v1.0.0
MIT-0
Bruce Gutman@brucegutman
latest
Download

Pipeworx Govcon Analyst

GovCon Intel MCP — Compound tools that chain SAM.gov, USAspending,

Setup

{
  "mcpServers": {
    "govcon-intel": {
      "url": "https://gateway.pipeworx.io/mcp?task=govcon%20analysis"
    }
  }
}

Compound tools (start here)

These combine multiple data sources into one call:

ToolDescription
govcon_contractor_profileComplete government contractor dossier — SAM.gov entity registration, federal award history (USAspen
govcon_opportunity_scanGovernment contracting opportunity search — open SAM.gov opportunities, set-aside contracts (8(a), H
govcon_agency_landscapeFederal agency contracting landscape — spending overview, recent awards, SBIR program stats, and spe

Individual tools

For granular queries, these are also available:

ToolDescription
sam_search_opportunitiesSearch active federal contract opportunities on SAM.gov. Filter by keyword, NAICS code, set-aside ty
sam_get_opportunityGet full details for a specific federal contract opportunity by its solicitation number. Returns poi
sam_entity_searchSearch for registered entities (vendors/contractors) in the SAM.gov entity database. Returns UEI, CA
sam_set_aside_opportunitiesSearch federal contract opportunities filtered by small business set-aside type. Useful for finding
usa_spending_by_agencyGet federal spending breakdown by agency for a given fiscal year and optional quarter. Shows how muc
usa_award_searchSearch federal contract awards by keywords, agency, date range, and NAICS code. Returns recipient, a
usa_spending_by_categoryGet federal spending broken down by category: NAICS code, PSC (product/service code), recipient, awa
usa_recipient_profileGet a specific contractor or recipient\
usa_spending_trendsGet federal spending over time for given keywords or agency. Returns spending grouped by fiscal year
sbir_search_awardsSearch SBIR/STTR awards by keyword, agency, year, company, or state. Returns awards with company nam
sbir_get_awardGet details for a single SBIR/STTR award by its award ID. Returns full award information including c
sbir_search_solicitationsSearch SBIR/STTR solicitations (funding opportunities). Returns topics with description, agency, and
sbir_company_awardsGet all SBIR/STTR awards for a specific company. Returns the full list of awards with amounts, agenc
sbir_agency_statsGet SBIR/STTR award counts by agency. If an agency is specified, returns the count for that agency.

Data sources

  • Samgov: SAM.gov MCP — Federal contract opportunities and entity registration data
  • Usaspending: USAspending MCP — Federal spending data from USAspending.gov API
  • Sbir: SBIR MCP — wraps the SBIR.gov public API (free, no auth)

Tips

  • Start with compound tools — they handle errors and combine data automatically
  • Use ask_pipeworx if you're unsure which tool to use
  • Use remember/recall to save intermediate findings

Comments

Loading comments...