Security audit

Pipeworx ipinfo

Security checks across malware telemetry and agentic risk

Overview

This is a simple IP lookup skill that connects to disclosed external services, with privacy considerations users should understand before using it.

Install only if you are comfortable routing IP lookup requests through Pipeworx and ipinfo.io. Avoid submitting sensitive internal, customer, investigative, or regulated IP data unless that disclosure is acceptable, and consider pinning `mcp-remote` instead of using `@latest` where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to connect to a remote MCP endpoint that forwards requests to ipinfo.io, but it does not clearly warn that lookups send data to external services and may disclose the user's own IP address or queried IPs to third parties. This creates a privacy and data-handling risk because users may unknowingly expose sensitive infrastructure, customer, or personal network information outside their local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal