ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx patents

v1.0.0

Patents MCP — wraps PatentsView API (https://api.patentsview.org/)

0· 75·0 current·0 all-time
byBruce Gutman@brucegutman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for brucegutman/pipeworx-patents.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipeworx patents" (brucegutman/pipeworx-patents) from ClawHub.
Skill page: https://clawhub.ai/brucegutman/pipeworx-patents
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipeworx-patents

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipeworx-patents
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name and description (Patents MCP wrapping PatentsView) align with the declared tools. However, the SKILL.md requires running 'npx mcp-remote@latest' to connect to https://gateway.pipeworx.io/patents/mcp, yet the skill metadata declares no required binaries. The missing declaration for Node/npm/npx is an incoherence.
!
Instruction Scope
Instructions are short and focused on establishing an MCP connection, but they direct the agent to run npx which will execute code it downloads. That execution and the subsequent connection to gateway.pipeworx.io will send queries (and likely any context the agent includes) to that external server — the SKILL.md does not describe what is transmitted or any privacy/usage guarantees.
!
Install Mechanism
There is no formal install spec, but the connect snippet uses 'npx -y mcp-remote@latest', which downloads and executes the latest package from the public npm registry at runtime. Unpinned '@latest' installs are higher risk because the code executed can change over time; executing remote npm packages without review is a moderate-to-high risk behavior.
Credentials
The skill declares no environment variables or credentials, which is reasonable for a public PatentsView wrapper. However, it fails to declare required runtime tooling (Node/npx). Also, because the agent will connect to an external gateway, any context or user data sent to that gateway should be considered sensitive unless the endpoint's behavior is verified.
Persistence & Privilege
The skill does not request always:true and follows normal autonomous-invocation defaults. Still, allowing the agent to autonomously run 'npx' and execute downloaded code increases blast radius — autonomous invocation combined with remote code execution is riskier than a purely local/instruction-only skill.
What to consider before installing
This skill appears to do what it says (wrap PatentsView) but it instructs the agent to run 'npx -y mcp-remote@latest' and connect to https://gateway.pipeworx.io/patents/mcp. That means code will be downloaded and executed from npm and queries (and any agent context) will go to an external server. Before installing: (1) confirm you trust pipeworx.io and the gateway URL; (2) prefer a pinned package version (not @latest) or review the mcp-remote package source on npm/GitHub; (3) ensure Node/npx are available and include them in the skill metadata; (4) avoid sending sensitive data to the connector, or test in a sandbox; (5) if you need stronger guarantees, ask the publisher for a local-only connector or source you can audit. If you cannot verify the remote package and endpoint, treat this skill as risky.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760sz45pedrb6m2ye7fcwqe584secw
75downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Bruce Gutman@brucegutman
latest
Download

pipeworx-patents

Patents MCP — wraps PatentsView API (https://api.patentsview.org/). Free, no API key. Part of Pipeworx.

Tools

  • search_patents
  • get_patent
  • search_inventors

Connect

{
  "mcpServers": {
    "pipeworx-patents": {
      "command": "npx",
      "args": ["-y", "mcp-remote@latest", "https://gateway.pipeworx.io/patents/mcp"]
    }
  }
}

More at pipeworx.io/packs/patents

Comments

Loading comments...