ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx words

v1.0.0

Provides synonyms, rhymes, related words, autocomplete, and advanced word search to enhance writing and word exploration.

0· 6·0 current·0 all-time
byBruce Gutman@brucegutman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (synonyms, rhymes, autocomplete, advanced word search) matches the SKILL.md behavior. However, SKILL.md says 'Powered by the Datamuse API' yet all concrete examples point to a gateway at gateway.pipeworx.io rather than the public Datamuse endpoints. That mismatch is unexplained and worth verifying (the gateway may proxy Datamuse or implement its own service).
Instruction Scope
Instructions are narrow and focused: they demonstrate HTTP POST calls to a single external API endpoint and provide an mcpServers JSON configuration. The instructions do not request reading local files, environment variables, or other system state. The notable scope issue is that the skill sends user-provided words to an external host (the gateway), which could collect queries.
Install Mechanism
There is no install spec and no code files — this is instruction-only, so nothing is written to disk by the skill itself. This minimizes install-time risk.
Credentials
The skill declares no required environment variables, credentials, or config paths. It does not appear to request access to unrelated secrets or system credentials.
Persistence & Privilege
The skill does not request permanent/always-on presence (always: false) and does not attempt to modify other skills or system settings. Autonomous invocation is allowed by default but is not combined with other high-risk privileges here.
What to consider before installing
This skill does what it says (word lookups) but routes queries to https://gateway.pipeworx.io/words/mcp rather than directly to Datamuse. Before installing, consider: 1) Do you trust gateway.pipeworx.io to receive and possibly log all words/phrases you send? (Queries could include sensitive text.) 2) Ask the publisher for the source or documentation (no homepage is provided) and whether the gateway proxies Datamuse or hosts its own data. 3) If you need stronger privacy or provenance, prefer a skill that calls the official Datamuse API directly or run your own trusted proxy. 4) Test with non-sensitive queries first and monitor network requests if possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk974nj6ef5ynphb19qbw6wcdxn84yc4x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments