Skillv3.0.0

ClawScan security

Ip Advisor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 19, 2026, 12:10 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are internally consistent with an IP/subnet helper; it makes a small outbound request to determine public IP and creates a local data directory, but otherwise requests no credentials or elevated access.
Guidance: This skill appears coherent for IP/subnet assistance, but review and note the following before installing: 1) The script will create ~/.local/share/ip-advisor in your home directory (it does not store secrets there, but it does create the folder). 2) The 'public' command makes an outbound HTTPS request to checkip.amazonaws.com to learn your public IP—if you cannot allow external network calls, avoid using that command. 3) The shell script has several small bugs/poor quoting (some echo lines use single quotes so variables print literally) and limited input validation (IPv4 validation is a simple regex and doesn't enforce 0–255 ranges). These are likely quality issues, not malicious behavior. 4) The script relies on standard system tools (ip or ifconfig, curl); ensure those binaries are present and you trust the repository author (homepage listed). If you want higher assurance, inspect or run the script in an isolated environment, or fix the quoting/validation issues before use.

Purpose & Capability: okName/description match the provided script: commands implement info, subnet, validate, local, public, and range functionality. Required capabilities (reading local addresses, optionally calling an external service to learn the public IP) are appropriate for the stated purpose.
Instruction Scope: noteSKILL.md simply calls the included scripts. The script creates ~/.local/share/ip-advisor and uses local networking tools (ip/ifconfig) and curl to query https://checkip.amazonaws.com for the public IP. That external network call is expected for a 'public' command but is the only network I/O; the skill does not read arbitrary files or environment variables beyond $HOME.
Install Mechanism: okNo install spec; the skill is instruction-only with an included shell script. Nothing is downloaded or executed from remote URLs during install.
Credentials: okNo required environment variables, no credentials, and no config paths beyond a per-user data directory under $HOME. The requests for resources appear proportionate to the functionality.
Persistence & Privilege: okalways is false and the skill does not request system-wide changes or modify other skills. It only creates a per-user directory ($HOME/.local/share/ip-advisor).