← Back to Skills Marketplace
Pipeworx iplookup
by
Bruce Gutman
· GitHub ↗
· v1.0.0
· MIT-0
67
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install pipeworx-iplookup
Description
IP Lookup MCP — ip-api.com (free, no auth for basic usage)
Usage Guidance
This skill's metadata promises simple ip-api.com lookups, but its runtime instructions tell the agent to run 'npx -y mcp-remote@latest' to connect to a Pipeworx gateway—meaning it will download and execute code from npm and send queries to an external server. Before installing, verify the following: (1) Ask the publisher for source code or an explicit install spec so you can inspect what mcp-remote does and what data it transmits. (2) Confirm you are comfortable with running an npm 'latest' package at runtime (consider pinning to a specific vetted version). (3) If you only need raw ip-api.com lookups, prefer a skill that calls ip-api.com directly (no remote code execution). (4) If you proceed, run it in a sandboxed environment and review network traffic to confirm only intended IP queries are sent and no extra data is exfiltrated.
Capability Analysis
Type: OpenClaw Skill
Name: pipeworx-iplookup
Version: 1.0.0
The skill bundle provides a standard configuration for an IP lookup service using the Model Context Protocol (MCP). It utilizes the 'mcp-remote' package to connect to a remote gateway at gateway.pipeworx.io, which is consistent with its stated purpose of providing geolocation tools. No malicious code, obfuscation, or harmful prompt injection instructions were found in SKILL.md or _meta.json.
Capability Assessment
Purpose & Capability
The description says 'IP Lookup — ip-api.com (free, no auth)', which implies simple HTTP lookups. However the SKILL.md's Connect block instructs running 'npx -y mcp-remote@latest https://gateway.pipeworx.io/iplookup/mcp' to contact a Pipeworx gateway. The declared requirements list no binaries or credentials, but the runtime instructions require npx/node. Requiring an npm-executed remote component is disproportionate to a plain IP geolocation lookup and is not explained in the metadata.
Instruction Scope
The instructions tell the agent to fetch and execute a remote npm package (mcp-remote@latest) which will connect to https://gateway.pipeworx.io/iplookup/mcp. That implies user data (IP addresses and possibly surrounding context) would be sent to an external gateway rather than directly to ip-api.com. The SKILL.md gives no details about what the remote package does, what data it sends, or privacy/retention, so scope and data flows are unclear and broader than advertised.
Install Mechanism
There is no declared install spec, but the Connect snippet relies on npx to fetch and run the latest mcp-remote package from npm at runtime. Fetching and executing 'latest' from the public npm registry is a moderate-to-high risk pattern (the package content can change, and arbitrary code will run). The gateway URL is a third-party endpoint (gateway.pipeworx.io) rather than a well-known release host for binaries; this elevates risk because arbitrary remote code and network traffic are introduced at runtime.
Credentials
The skill requests no environment variables or credentials, which is proportionate for a lookup service. However, it fails to declare required runtime tooling (npx/node) despite requiring npx in its connection command—this omission is a practical mismatch rather than a credentials risk.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. Autonomous invocation is allowed (the platform default) but by itself is not a new red flag. The main concern is the combination of autonomous invocation with runtime execution of third-party npm code and external network connections.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pipeworx-iplookup - After installation, invoke the skill by name or use
/pipeworx-iplookup - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Pipeworx iplookup?
IP Lookup MCP — ip-api.com (free, no auth for basic usage). It is an AI Agent Skill for Claude Code / OpenClaw, with 67 downloads so far.
How do I install Pipeworx iplookup?
Run "/install pipeworx-iplookup" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Pipeworx iplookup free?
Yes, Pipeworx iplookup is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Pipeworx iplookup support?
Pipeworx iplookup is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Pipeworx iplookup?
It is built and maintained by Bruce Gutman (@brucegutman); the current version is v1.0.0.
More Skills