ClawHub

Get IP Geo Location

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward IP geolocation skill, with a privacy notice gap around looking up the caller's own public IP.

Install only if you are comfortable giving the agent an apipick API key, spending apipick credits, and sending queried IP addresses to apipick.com. Avoid or require confirmation for the self-IP lookup mode if you do not want your own public IP and approximate network location shared with that provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly encourages looking up the caller's own IP location but does not disclose that this causes the user's public IP address to be sent to a third-party service. In an agent context, users may reasonably assume the lookup is local or privacy-preserving, so the omission can lead to unintended disclosure of location-related personal data and surprise external network transmission.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly supports omitting the IP parameter to look up the caller's own public IP, which causes the user's network-identifying information to be sent to a third-party service. The description and usage guidance do not clearly warn about this privacy-sensitive behavior or require explicit user consent, creating a meaningful risk of unintended disclosure of personal or organizational metadata.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API reference explicitly states that omitting the `ip` parameter will look up the caller's own IP, but it does not warn that this sends the user's/network's public IP to a third-party service. Public IP addresses are personal or organizational network metadata, and transmitting them without clear disclosure can create privacy, compliance, and user-consent issues.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal