by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to be a simple proxy to Pipeworx's FDA gateway and needs only curl to run the example queries. Before installing or running it: 1) Verify you trust https://gateway.pipeworx.io and the pipeworx.io publisher — your queries (and any data you include) will be sent there. 2) Do not send PHI, passwords, or other secrets in queries. 3) If you plan to use the MCP config, understand that 'npx mcp-remote@latest' downloads and runs code from npm; only run it if you trust that package. 4)...详细分析 ▾
ℹ 用途与能力
The name/description (FDA open data) matches the actual behavior: the skill instructs the agent to query a Pipeworx gateway that returns FAERS, labeling, and recall data. However, the SKILL.md's MCP config references running 'npx mcp-remote', yet the declared required binaries only list 'curl' — a minor inconsistency in declared requirements versus recommended usage.
ℹ 指令范围
Instructions are limited to querying an external API (gateway.pipeworx.io) and include example curl calls. They do not request local file reads or extra environment variables. Be aware that queries (including any user-supplied text) will be sent to a third party; avoid sending sensitive or private data.
ℹ 安装机制
The skill is instruction-only (no install spec), which is low-risk. However, the provided MCP config recommends using 'npx mcp-remote@latest' to register a remote tool; running that command will download and execute third‑party npm code. The skill itself does not force that install, but the instructions encourage running remote code — a potential risk if you don't trust the publisher.
✓ 凭证需求
No environment variables, credentials, or config paths are requested by the skill, which is proportional for accessing public FDA data. There is nothing requesting unrelated secrets or system credentials.
ℹ 持久化与权限
The skill does not request permanent inclusion (always:false). The MCP config suggests adding a remote MCP server entry to agent config; if you follow that, the remote server could be invoked by the agent — consider whether you trust the remote operator before adding it to your agent configuration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/9
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install pipeworx-fda
镜像加速npx clawhub@latest install pipeworx-fda --registry https://cn.longxiaskill.com