Back to skill
Skillv1.0.0
ClawScan security
Myip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 1:21 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only IP-checker whose requirements and instructions largely match its stated purpose, with minor inconsistencies and a privacy note about contacting third-party services.
- Guidance
- This skill is coherent for finding public and local IPs, but note two things before installing: (1) the metadata's single required binary is 'curl.exe' (Windows-style) — if you plan to run this on Linux/macOS you should ensure the agent accepts 'curl' (no .exe) or adjust the metadata; (2) the public-IP checks call third-party endpoints (ifconfig.me, api.ipify.org), so your public IP will be sent to those services — if you prefer not to contact external services, obtain your public IP via your router or provider or run these commands locally yourself. Otherwise it's a simple, instruction-only skill with a small bookkeeping inconsistency in package.json.
Review Dimensions
- Purpose & Capability
- noteThe skill's name, description, and runtime instructions all match the stated goal (discover public and local IPs). However the metadata requires 'curl.exe' specifically (Windows-style name) while the SKILL.md also documents Linux commands — requiring curl.exe only is inconsistent and unnecessary for non-Windows systems. package.json appears normal but contains a Chinese description and a slightly different version string (1.0.1 vs registry 1.0.0), which is minor bookkeeping inconsistency.
- Instruction Scope
- noteSKILL.md only instructs running curl against public IP services (ifconfig.me, api.ipify.org) and local commands (ipconfig, hostname -I). This stays within scope. Important privacy note: using those public endpoints will disclose the machine's public IP to third-party services — expected for this task but a data-exposure consideration the user should be aware of.
- Install Mechanism
- okNo install spec and no code files beyond SKILL.md and package.json — lowest-risk form. The skill is instruction-only so nothing is written to disk by the skill bundle itself.
- Credentials
- okThe skill requests no environment variables or credentials, which is proportionate to the simple IP-discovery purpose.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent privileges, nor does it modify other skills or system-wide configuration.