ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx marine

v1.0.0

Marine MCP — wraps marine-api.open-meteo.com (free, no auth)

0· 34·0 current·0 all-time
byBruce Gutman@b-gutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to wrap marine-api.open-meteo.com and provides MCP tool names, which is coherent. However the SKILL.md's Connect block instructs the agent to run 'npx ... mcp-remote@latest' to connect to gateway.pipeworx.io; the manifest does not declare the need for 'npx' / Node runtime or explain why an external mcp-remote package is required instead of direct REST calls to open-meteo. This omission is a mild inconsistency.
Instruction Scope
SKILL.md only provides a small connect config and does not instruct reading local files or extra environment variables. However it gives an explicit runtime command that will download and execute code (npx mcp-remote@latest) and establish a network connection to gateway.pipeworx.io; that runtime behavior is not fully described in the top-level metadata.
!
Install Mechanism
There is no install spec, but the Connect block relies on npx to fetch and run the latest mcp-remote from npm. Running 'npx ...@latest' will download and execute code from the public npm registry at runtime (unrestricted, unpinned). That is a higher-risk install mechanism and should be declared, pinned to a version, or replaced with a vetted install artifact.
Credentials
The skill requests no environment variables, credentials, or config paths, which is proportionate for a read-only weather wrapper. There is no evidence the skill tries to access unrelated secrets or files.
Persistence & Privilege
The skill is not marked 'always:true' and uses default autonomous invocation settings. It doesn't request elevated persistent privileges or modify other skills' configs in the SKILL.md.
What to consider before installing
Before installing, consider that this skill will (per its Connect block) run 'npx -y mcp-remote@latest https://gateway.pipeworx.io/marine/mcp' at runtime. That action downloads and executes code from the public npm registry and opens a network connection to gateway.pipeworx.io. If you plan to use it: 1) ensure you trust pipeworx.io and gateway.pipeworx.io; 2) require the skill to declare 'npx' (Node) as a required binary or provide an explicit install spec; 3) prefer a pinned mcp-remote version (not @latest) or a vetted release tarball; 4) ask for the mcp-remote source or a checksum so you can audit it; 5) consider running the skill in a restricted/sandboxed environment with limited network and file access. If you cannot validate the npm package or gateway, treat the skill as higher risk and avoid installing it on sensitive systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk97exnc1e143p4k0xk4zwj7xtd84sy5c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments