← Back to Skills Marketplace
b-gutman

Pipeworx npm

by Bruce Gutman · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
75
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install pipeworx-npm
Description
npm MCP — wraps the npm Registry API (free, no auth)
Usage Guidance
This skill is coherent with its stated purpose but has notable risks you should weigh before installing: it expects 'npx' at runtime (but doesn't declare that requirement), and it runs 'mcp-remote@latest' which downloads and executes code from npm and connects to https://gateway.pipeworx.io — that can change upstream or exfiltrate data. Consider asking the author to: (1) declare required binaries (npx), (2) pin a specific package version instead of @latest, (3) provide the mcp-remote source repo and a description of what data the gateway receives, and (4) allow manual review of the mcp-remote package before enabling. If you must use it now, run it in an isolated environment, avoid giving it sensitive context, and consider disabling autonomous invocation until you've audited the remote package and gateway behavior.
Capability Analysis
Type: OpenClaw Skill Name: pipeworx-npm Version: 1.0.0 The skill bundle is a configuration for an MCP (Model Context Protocol) server that provides access to the npm Registry API. It uses the standard 'mcp-remote' utility via npx to connect to a remote gateway at gateway.pipeworx.io. The files (SKILL.md and _meta.json) contain no executable code, obfuscation, or malicious instructions, and the behavior is consistent with the stated purpose of providing package search and download statistics.
Capability Assessment
Purpose & Capability
The skill's stated purpose (wrapping the npm Registry API via a remote MCP) matches the provided connect instruction (mcp-remote pointing at gateway.pipeworx.io). However, the SKILL.md expects the agent to run 'npx' but the registry metadata lists no required binaries — that mismatch is an unexplained omission.
Instruction Scope
Runtime instructions tell the agent to run 'npx -y mcp-remote@latest https://gateway.pipeworx.io/npm/mcp'. This causes dynamic download and execution of a package and a live connection to an external gateway; the skill does not specify what data will be sent or how the gateway behaves, so the agent could transmit sensitive context to an external service.
Install Mechanism
There is no formal install spec, but the connect step uses npx to run mcp-remote@latest. Fetching and executing '@latest' from the public npm registry is a supply-chain risk (upstream could change). While npm is a well-known host, using an unpinned 'latest' and automatic install ('-y') increases attack surface.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However, because it invokes a remote service, it may forward agent context or other runtime data — the SKILL.md does not document what is transmitted, so it's unclear whether this is safe.
Persistence & Privilege
always is false and there's no indication the skill alters other skills or system-wide settings. Autonomous invocation is allowed (platform default); combined with executing remote code, that increases potential impact but is not by itself a policy violation.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install pipeworx-npm
  3. After installation, invoke the skill by name or use /pipeworx-npm
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Slug pipeworx-npm
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Pipeworx npm?

npm MCP — wraps the npm Registry API (free, no auth). It is an AI Agent Skill for Claude Code / OpenClaw, with 75 downloads so far.

How do I install Pipeworx npm?

Run "/install pipeworx-npm" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Pipeworx npm free?

Yes, Pipeworx npm is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Pipeworx npm support?

Pipeworx npm is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Pipeworx npm?

It is built and maintained by Bruce Gutman (@b-gutman); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments