📦 Pipeworx carbon — 技能工具

v1.0.0

[自动翻译] UK national carbon intensity data — real-time, historical, and generation mix from the Carbon Intensity API

0· 38·0 当前·0 累计

by @brucegutman (Bruce Gutman)·MIT-0

API工具数据分析开发工具自动化

下载技能包

License

MIT-0

最后更新

2026/4/8

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

high confidence

The pack claims to pull data from the official Carbon Intensity API but its runtime instructions route calls through a third‑party Pipeworx gateway and suggest running npx to connect remotely — this proxy-and-remote-execution behavior is not justified or explained and poses data & supply-chain risks.

评估建议

Before installing: (1) Confirm whether Pipeworx is intentionally acting as a proxy for the official Carbon Intensity API — ask the publisher to explicitly state what gateway does and why it's needed. (2) Treat the suggested `npx mcp-remote@latest` step as a supply-chain and remote-execution risk: inspect the package (or avoid running it) and run it only in an isolated environment. (3) Assume requests and any sent agent context may be visible to gateway.pipeworx.io — do not send secrets or sensit...

详细分析 ▾

⚠ 用途与能力

The description claims data comes from the official Carbon Intensity API (carbonintensity.org.uk) but the SKILL.md examples and setup use gateway.pipeworx.io and an MCP remote endpoint. A simple carbon-intensity query would not require a third‑party gateway or an npx remote connector; the use of Pipeworx is not documented or justified.

⚠ 指令范围

Instructions demonstrate POSTing JSON-RPC to gateway.pipeworx.io and instruct configuring an MCP server that runs `npx ... mcp-remote@latest` to connect to that gateway. That means runtime traffic and potentially agent context will be sent to a third party and the agent operator will execute remote npm code — neither of which is described or bounded in the pack.

⚠ 安装机制

There is no formal install spec, but SKILL.md's recommended setup uses `npx` to fetch and run `mcp-remote@latest` from npm. Running npx against an arbitrary package is a supply-chain risk (code pulled and executed at runtime) and is not declared in the skill's install metadata.

ℹ 凭证需求

The skill declares no required environment variables or credentials — that's proportional to a read-only public API. However, because it routes requests through Pipeworx, it's unclear whether the gateway expects/collects additional secrets or agent context; the SKILL.md does not disclose what data the gateway receives.

ℹ 持久化与权限

The skill is not always-enabled and doesn't request elevated platform privileges. Still, the suggested MCP configuration will run an npx-installed connector that may persist as a service/daemon (MCP remote) and maintain a long-lived connection to the Pipeworx gateway; this is not spelled out.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv1.0.02026/4/8

Initial release

● 无害

安装命令

点击复制

官方npx clawhub@latest install pipeworx-carbon

镜像加速npx clawhub@latest install pipeworx-carbon --registry https://cn.longxiaskill.com镜像同步中

需要定制？告诉我你的需求 →

数据来源：ClawHub ↗ · 中文优化：龙虾技能库