ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx videogames

v1.0.0

Browse and search free-to-play PC and browser games by platform, category, and sort order using data from the FreeToGame database.

0· 15·0 current·0 all-time
byBruce Gutman@b-gutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (browse FreeToGame data) matches the declared capabilities (list_games, get_game, filter_games). However, the instructions direct requests to a pipeworx gateway (gateway.pipeworx.io) rather than the known FreeToGame API or a documented provider; the skill has no source repo or homepage, which is an unexplained provenance gap.
Instruction Scope
SKILL.md is instruction-only and only tells the agent to POST JSON-RPC calls to https://gateway.pipeworx.io/videogames/mcp. There are no file reads, env access, or other system interactions. The scope is limited to network calls, but those calls go to a third-party endpoint not documented in the skill metadata — this is the main scope concern.
Install Mechanism
No install spec and no code files — nothing is written to disk or installed by the skill. This lowers risk from installation.
Credentials
The skill requests no environment variables, credentials, or config paths. There is no disproportionate credential access.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. It does not request persistent system privileges or modify other skills.
What to consider before installing
This skill appears to implement only game lookups, but it sends all queries to an opaque external gateway (gateway.pipeworx.io) and has no source or homepage. Before installing: (1) confirm who operates gateway.pipeworx.io and whether you trust that operator, (2) prefer official FreeToGame endpoints if you need provenance, (3) test with only non-sensitive queries (no PII or secrets), and (4) monitor network activity and TLS certs for the gateway. Because provenance is missing, treat the skill as potentially untrusted and avoid sending any credentials or private data through it.

Like a lobster shell, security has layers — review code before you run it.

latestvk978b57472x47egzgba2eca2wh84wscz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments