ClawHub

Get My Location

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: look up an IP-based location through external geolocation services, with privacy caveats users should understand.

Install only if you are comfortable with IP-based location checks contacting external geolocation services. Treat results as approximate, and avoid looking up third-party IPs unless you have a legitimate reason.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The English trigger phrases are broad and map to common conversational language such as 'where am i' and 'get my location,' increasing the chance of accidental invocation. Unintended activation matters here because the skill performs network requests and discloses location-related information derived from IP data.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Chinese trigger phrases are similarly broad, including everyday expressions like '我在哪里' and '我的位置,' which can be matched in ordinary conversation. Because invocation can lead to external transmission of IP-derived data, broad multilingual triggers expand the accidental exposure surface.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation describes multi-source fallback to third-party APIs but does not clearly warn users that their public IP, or a supplied IP address, will be sent to external services. This is a meaningful privacy issue because geolocation lookups can reveal approximate location and create third-party processing records without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal