ClawHub

IPv6地址查询 - 即刻数据

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward IPv6 lookup helper that sends the queried IPv6 address and Jike AppKey to the documented JikeAPI service.

Install only if you are comfortable sending queried IPv6 addresses and your Jike AppKey to JikeAPI. Prefer environment variables over the --key argument on shared systems, do not commit a scripts/.env file, and leave JIKE_API_BASE_URL unset unless intentionally using a trusted replacement endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tainted flow: 'url' from os.environ.get (line 117, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"""
    url = f"{API_BASE_URL}{API_PATH}?{urllib.parse.urlencode({'ip': ip_value, 'appkey': appkey})}"
    try:
        with urllib.request.urlopen(url, timeout=15) as response:
            return json.loads(response.read().decode("utf-8"))
    except urllib.error.HTTPError as exc:
        return {"code": exc.code, "message": f"接口请求失败: HTTP {exc.code}", "data": ""}
Confidence
91% confidence
Finding
with urllib.request.urlopen(url, timeout=15) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares runtime requirements that enable environment access, file reads, and outbound network use, but it does not declare corresponding permissions. That creates a transparency and policy-enforcement gap: an agent or reviewer may underestimate what the skill can access and transmit, including API keys from environment variables and user-supplied IP data sent to a third-party service.

External Transmission

Medium
Category
Data Exfiltration
Content
直接调用 API:

```text
GET https://api.jikeapi.cn/v1/ip/query/v6?ip=240e:1f:1::1&appkey=YOUR_APPKEY
```

## AI 使用步骤
Confidence
83% confidence
Finding
https://api.jikeapi.cn/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal