← 返回 Skills 市场
Pipeworx npm
作者
Bruce Gutman
· GitHub ↗
· v1.0.0
· MIT-0
75
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pipeworx-npm
功能描述
npm MCP — wraps the npm Registry API (free, no auth)
安全使用建议
This skill is coherent with its stated purpose but has notable risks you should weigh before installing: it expects 'npx' at runtime (but doesn't declare that requirement), and it runs 'mcp-remote@latest' which downloads and executes code from npm and connects to https://gateway.pipeworx.io — that can change upstream or exfiltrate data. Consider asking the author to: (1) declare required binaries (npx), (2) pin a specific package version instead of @latest, (3) provide the mcp-remote source repo and a description of what data the gateway receives, and (4) allow manual review of the mcp-remote package before enabling. If you must use it now, run it in an isolated environment, avoid giving it sensitive context, and consider disabling autonomous invocation until you've audited the remote package and gateway behavior.
功能分析
Type: OpenClaw Skill
Name: pipeworx-npm
Version: 1.0.0
The skill bundle is a configuration for an MCP (Model Context Protocol) server that provides access to the npm Registry API. It uses the standard 'mcp-remote' utility via npx to connect to a remote gateway at gateway.pipeworx.io. The files (SKILL.md and _meta.json) contain no executable code, obfuscation, or malicious instructions, and the behavior is consistent with the stated purpose of providing package search and download statistics.
能力评估
Purpose & Capability
The skill's stated purpose (wrapping the npm Registry API via a remote MCP) matches the provided connect instruction (mcp-remote pointing at gateway.pipeworx.io). However, the SKILL.md expects the agent to run 'npx' but the registry metadata lists no required binaries — that mismatch is an unexplained omission.
Instruction Scope
Runtime instructions tell the agent to run 'npx -y mcp-remote@latest https://gateway.pipeworx.io/npm/mcp'. This causes dynamic download and execution of a package and a live connection to an external gateway; the skill does not specify what data will be sent or how the gateway behaves, so the agent could transmit sensitive context to an external service.
Install Mechanism
There is no formal install spec, but the connect step uses npx to run mcp-remote@latest. Fetching and executing '@latest' from the public npm registry is a supply-chain risk (upstream could change). While npm is a well-known host, using an unpinned 'latest' and automatic install ('-y') increases attack surface.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However, because it invokes a remote service, it may forward agent context or other runtime data — the SKILL.md does not document what is transmitted, so it's unclear whether this is safe.
Persistence & Privilege
always is false and there's no indication the skill alters other skills or system-wide settings. Autonomous invocation is allowed (platform default); combined with executing remote code, that increases potential impact but is not by itself a policy violation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pipeworx-npm - 安装完成后,直接呼叫该 Skill 的名称或使用
/pipeworx-npm触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Pipeworx npm 是什么?
npm MCP — wraps the npm Registry API (free, no auth). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 75 次。
如何安装 Pipeworx npm?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pipeworx-npm」即可一键安装,无需额外配置。
Pipeworx npm 是免费的吗?
是的,Pipeworx npm 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Pipeworx npm 支持哪些平台?
Pipeworx npm 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Pipeworx npm?
由 Bruce Gutman(@b-gutman)开发并维护,当前版本 v1.0.0。
推荐 Skills