IP归属查询

Security checks across malware telemetry and agentic risk

Overview

This IP lookup skill does what it says, but it sends the Juhe API key over plain HTTP, which can expose the credential in transit.

Review before installing. Use this only if you are comfortable sending queried IP addresses to Juhe, and update the endpoint to HTTPS or otherwise avoid sending JUHE_API_KEY over unencrypted HTTP. Treat any key already used with the current implementation as potentially exposed and consider rotating it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation omits a clear privacy warning that submitted IP addresses are transmitted to a third-party API provider. Even though IP geolocation requires a remote lookup in this design, failing to disclose this data flow can mislead users into exposing personal, customer, or internal infrastructure IPs to an external service without informed consent.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The skill sends the API key to a third-party endpoint over plain HTTP, which allows any network observer or active man-in-the-middle to intercept the credential and tamper with the response. Because this is an authentication secret for a paid external service, exposure can lead to unauthorized API use, billing abuse, and loss of trust in returned geolocation data.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal