ClawHub
Back to skill
v1.0.0

Get IP Geo Location

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:56 AM.

Analysis

This is a straightforward instruction-only IP geolocation skill; the main things to notice are that it uses an apipick API key, consumes API credits, and sends IP lookup requests to apipick.

GuidanceThis skill appears coherent and low risk for its stated purpose. Before installing, make sure you are comfortable giving the agent access to an apipick API key, spending one credit per successful lookup, and sending queried IP addresses or your own public IP to apipick.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Requires an apipick API key (x-api-key). ... Use `$APIPICK_API_KEY` env var as the `x-api-key` header value; if not set, ask the user for their apipick API key

The skill needs a service credential to authenticate to apipick. This is clearly disclosed and proportionate for the stated API lookup function, but users should still treat the key as a credential.

User impactThe agent may use the user's apipick API key and consume apipick account credits when performing lookups.
RecommendationProvide only an apipick key intended for this service, store it as an environment variable rather than pasting it broadly, and monitor credit usage.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
GET https://www.apipick.com/api/ip-geolocation ... Omit the IP parameter to look up the caller's own IP.

The skill sends the queried IP address, or the caller's own public IP when no parameter is supplied, to an external provider. This is expected for an IP geolocation API and is openly documented.

User impactIP addresses submitted for lookup, including the caller's own public IP in that mode, are shared with apipick and may reveal approximate location or network information.
RecommendationUse the skill only for IP addresses you are comfortable sending to apipick, and be explicit if you do not want the agent to look up your own public IP.