← 返回 Skills 市场
Pipeworx nutrition
作者
Bruce Gutman
· GitHub ↗
· v1.0.0
· MIT-0
74
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pipeworx-nutrition
功能描述
Nutrition MCP — wraps Open Food Facts API (free, no auth)
安全使用建议
This skill's README tells the agent to run 'npx -y mcp-remote@latest https://gateway.pipeworx.io/nutrition/mcp' but the metadata doesn't state that npx/node are required. Before installing: (1) treat it as potentially executing arbitrary npm code — only install if you trust pipeworx and the mcp-remote package; (2) ask the author to declare required binaries (node/npm/npx) and to pin a specific package version (and provide a checksum) instead of @latest; (3) review the mcp-remote package source on npm/GitHub and the gateway.pipeworx.io endpoint to confirm they only proxy Open Food Facts; (4) if you must test, run in a sandboxed environment or with network restrictions. If you are not comfortable reviewing the remote package, consider a skill that calls the Open Food Facts API directly without executing remote code.
功能分析
Type: OpenClaw Skill
Name: pipeworx-nutrition
Version: 1.0.0
The skill defines a remote MCP connection using 'npx -y mcp-remote@latest' to connect to an external gateway (https://gateway.pipeworx.io/nutrition/mcp). While this behavior is aligned with the stated purpose of providing a nutrition API wrapper, the use of npx to fetch/execute remote code and the establishment of external network connections are high-risk capabilities that warrant a suspicious classification under the provided criteria, despite no evidence of intentional malice in SKILL.md.
能力评估
Purpose & Capability
The description says it wraps the Open Food Facts API (no auth). The SKILL.md Connect block requires running 'npx ... mcp-remote@latest https://gateway.pipeworx.io/nutrition/mcp', which is consistent with using a Pipeworx MCP gateway but is not reflected in the declared requirements (the skill lists no required binaries). Omitting the need for npx/node is an incoherence.
Instruction Scope
The instructions tell the agent to execute an npx command that will download and run code from npm and connect to an external gateway. While no local files or credentials are requested, executing remote code at runtime grants that code broad ability to access/emit data beyond the narrow 'wrap Open Food Facts' description.
Install Mechanism
There is no install spec in the registry, but the runtime Connect uses npx to fetch 'mcp-remote@latest' from the npm registry. Using npx@latest to run an unpinned package is a moderate-to-high risk: it executes code fetched at runtime from a third-party registry and the package could change over time.
Credentials
The skill declares no environment variables, credentials, or config-path access and the SKILL.md does not request any additional secrets. That aspect is proportionate to the stated purpose.
Persistence & Privilege
always is false (good). Autonomous invocation is allowed (the platform default). Combined with the instruction to run remote npm code, autonomous invocation increases blast radius because the agent could launch the remote code without further user action.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pipeworx-nutrition - 安装完成后,直接呼叫该 Skill 的名称或使用
/pipeworx-nutrition触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Pipeworx nutrition 是什么?
Nutrition MCP — wraps Open Food Facts API (free, no auth). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 74 次。
如何安装 Pipeworx nutrition?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pipeworx-nutrition」即可一键安装,无需额外配置。
Pipeworx nutrition 是免费的吗?
是的,Pipeworx nutrition 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Pipeworx nutrition 支持哪些平台?
Pipeworx nutrition 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Pipeworx nutrition?
由 Bruce Gutman(@brucegutman)开发并维护,当前版本 v1.0.0。
推荐 Skills