ClawHub

IPv4地址查询 - 即刻数据

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it queries a Jike API for IPv4 location data, but users should understand their IP lookup and API key are sent to that service.

Install only if you are comfortable using a Jike API key and sending queried IPv4 addresses to Jike’s API. Do not set JIKE_API_BASE_URL unless you intentionally trust that alternate endpoint, and avoid putting real AppKeys in public repositories or shared skill packages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tainted flow: 'url' from os.environ.get (line 123, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
url = f"{API_BASE_URL}{API_PATH}?{params}"

    try:
        with urllib.request.urlopen(url, timeout=15) as response:
            return json.loads(response.read().decode("utf-8"))
    except urllib.error.HTTPError as exc:
        return {"code": exc.code, "message": f"接口请求失败: HTTP {exc.code}", "data": ""}
Confidence
96% confidence
Finding
with urllib.request.urlopen(url, timeout=15) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares runtime requirements and clearly instructs execution of a Python script that reads environment variables, accesses local files (.env), and makes outbound network requests, yet no explicit permissions model is declared. This creates a transparency and policy-enforcement gap: users and hosts may not realize the skill can read secrets and transmit data externally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends user-supplied IP addresses to a third-party service, but the user-facing usage guidance does not prominently warn that this data leaves the local environment. IP addresses can be sensitive in some contexts, so lack of disclosure can cause unintended data sharing and privacy/compliance issues.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal