IP归属地信息查询

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised IP lookup, but it sends the Juhe API key and queried IP over plain HTTP in the bundled script.

Review before installing. Use it only for IP addresses you are allowed to share with Juhe, avoid sensitive incident/customer indicators unless approved, and change the script endpoint to HTTPS before using a real Juhe API key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill sends user-supplied IP addresses to a third-party service, but the description does not clearly warn users that their queried IPs will be transmitted externally. IP addresses can be sensitive in some contexts, so the lack of disclosure can lead to unintended sharing of user or infrastructure data with an outside provider.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends both the queried IP address and the API key to a third-party service, and the endpoint is configured over plain HTTP rather than HTTPS. This exposes the API key and queried data to interception or modification in transit and also creates a privacy issue because queried IPs are disclosed to an external provider without any warning or consent flow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal