ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx musicbrainz

v1.0.0

MusicBrainz MCP — wraps MusicBrainz Web Service v2 (free, no auth)

0· 65·0 current·0 all-time
byBruce Gutman@b-gutman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for b-gutman/pipeworx-musicbrainz.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipeworx musicbrainz" (b-gutman/pipeworx-musicbrainz) from ClawHub.
Skill page: https://clawhub.ai/b-gutman/pipeworx-musicbrainz
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipeworx-musicbrainz

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipeworx-musicbrainz
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match a MusicBrainz wrapper. However, the SKILL.md's connect snippet requires running 'npx mcp-remote@latest' and contacting https://gateway.pipeworx.io/musicbrainz/mcp; the declared requirements list no required binaries (it should at minimum declare 'npx'). Using a third-party gateway rather than calling musicbrainz.org directly is a design choice but should be explicit.
Instruction Scope
The SKILL.md itself contains only a connect snippet and does not ask the agent to read local files or credentials. But it instructs the agent to execute an npm package (via npx) and to connect to a third-party endpoint (gateway.pipeworx.io), which means queries and possibly proxied data will flow to that service. This is within the apparent feature scope but increases data-exposure surface.
!
Install Mechanism
Although the skill has no declared install spec, the connect command uses 'npx -y mcp-remote@latest' which dynamically fetches and executes code from the npm registry at runtime. Fetching and running an unpinned 'latest' package is higher risk (lack of reproducibility, potential supply-chain issues). This implicit install/execution should have been declared and safer alternatives (pinned version, vetting instructions, or direct API calls) considered.
Credentials
The skill declares no environment variables, and the instructions don't request secrets or other credentials. There is no disproportionate credential request.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent privileges in its metadata. It does not modify other skills' configurations according to the provided data.
What to consider before installing
Before installing or invoking this skill, consider: 1) The SKILL.md expects 'npx' to run and will execute mcp-remote@latest — running an unpinned npm package at runtime can execute arbitrary code. If you need stronger assurance, ask for a pinned package version or inspect the mcp-remote source first. 2) Requests are proxied through gateway.pipeworx.io rather than calling MusicBrainz directly — review Pipeworx's privacy policy and trustworthiness because your queries (and potentially returned data) will pass through their gateway. 3) If you prefer minimal exposure, use a skill that calls musicbrainz.org directly or provide your own vetted proxy. 4) If you decide to use this skill, ensure 'npx' is available in a controlled runtime and consider running it in an environment with limited privileges.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cxxgkza74jy4as12gazm6ws84rapa
65downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Bruce Gutman@b-gutman
latest
Download

pipeworx-musicbrainz

MusicBrainz MCP — wraps MusicBrainz Web Service v2 (free, no auth). Free, no API key. Part of Pipeworx.

Tools

  • search_artists
  • get_artist
  • search_releases
  • get_release

Connect

{
  "mcpServers": {
    "pipeworx-musicbrainz": {
      "command": "npx",
      "args": ["-y", "mcp-remote@latest", "https://gateway.pipeworx.io/musicbrainz/mcp"]
    }
  }
}

More at pipeworx.io/packs/musicbrainz

Comments

Loading comments...