ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx nhtsa

v1.0.0

Decode VINs and look up vehicle makes/models via the NHTSA Vehicle Product Information Catalog

0· 51·0 current·0 all-time
byBruce Gutman@brucegutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description claim: 'NHTSA Vehicle Data' and VIN decoding. Required binary is only curl and there are no credentials — this matches a thin API-wrapper purpose. However, the runtime examples and MCP config target gateway.pipeworx.io (Pipeworx) rather than calling NHTSA endpoints directly; that difference should be explicit to users because it changes the trust boundary.
!
Instruction Scope
SKILL.md instructs the agent to POST VINs to https://gateway.pipeworx.io/nhtsa/mcp (and to use an npx-installed MCP helper). While the instructions do not request local file or credential access, they do direct potentially sensitive VINs to an external third-party endpoint. The skill does not declare any data handling, retention, or privacy behavior for that endpoint.
Install Mechanism
There is no formal install spec (instruction-only), which is low-risk. The MCP config snippet, however, suggests using 'npx mcp-remote@latest' which would download and run code at runtime if the agent follows that path — users should be aware that running npx pulls packages from the public npm registry.
Credentials
The skill requires no environment variables or credentials — that is proportionate to a public API wrapper. Still, the main concern is not requested credentials but the transmission of VINs (which can be sensitive) to a third party.
Persistence & Privilege
The skill does not request 'always: true' or system/config paths and is user-invocable only. It does not request elevated persistence or cross-skill configuration changes.
What to consider before installing
This skill appears to be an API wrapper for VIN decoding, but it sends VINs to https://gateway.pipeworx.io rather than querying NHTSA directly. Before installing or using it, confirm: (1) whether you are comfortable sending VINs (potentially sensitive data) to Pipeworx and review their privacy/retention policy; (2) whether the gateway actually relays to NHTSA or processes/stores data itself; (3) whether you or your organization prefer calling NHTSA's public API directly; and (4) if you plan to use the MCP npx helper, be aware that npx will download and execute code from npm. If you need stronger guarantees, request the skill's source or an implementation that calls api.nhtsa.dot.gov directly or provides an on-premises/local option.

Like a lobster shell, security has layers — review code before you run it.

latestvk971z8kc0dnmbm2r4drb6yr8s584a5yk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚗 Clawdis
Binscurl

Comments