IP Geo Location - IP归属地查询

Security checks across malware telemetry and agentic risk

Overview

This IP lookup skill does what it advertises, but its script sends the API key and queried public IPs over unencrypted HTTP.

Review before installing. The skill appears purpose-aligned, but change the script endpoint to HTTPS before use if Juhe supports it, treat JUHE_IP_KEY like a password, avoid passing the key on the command line, and only query IP addresses you are comfortable sending to Juhe.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly sends user-supplied IP addresses to the third-party service `juhe.cn` but does not provide a clear user-facing privacy notice or consent guidance. IP addresses can be personal data or sensitive operational data in some contexts, so silent transmission to an external provider creates a real privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script sends both the queried IP address and the API key to a third-party endpoint over plain HTTP, which allows interception or modification by any attacker on the network path. Because the API key is placed in the URL query string, it is especially exposed to proxies, logs, and passive monitoring, and users are not explicitly warned that their input is transmitted externally.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal