IP Geo Location - IP归属地查询
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill does what it claims, but its script sends the Juhe API key and queried IP address over plain HTTP, which can expose the key in transit.
Only install or use this skill after changing the script to use HTTPS for the Juhe API endpoint. Treat the Juhe API key like a password, avoid passing it on the command line when possible, and secure or avoid the optional scripts/.env file.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network observer, proxy, or intermediary could see the API key and IPs being queried, potentially allowing quota abuse or disclosure of lookup activity.
The script places the Juhe API key and queried IP address into the URL query string and sends it to an HTTP, not HTTPS, endpoint.
API_URL = "http://apis.juhe.cn/ip/ipNewV3" ... params = urllib.parse.urlencode({"key": api_key, "ip": ip})Change the endpoint to HTTPS before use, avoid putting credentials in URLs where possible, and rotate the Juhe API key if it has already been used through this script.
The key may remain on disk and could be read by other local processes or exposed if the skill directory is shared or backed up.
The skill documents an option to store the provider API key in a local .env file.
echo "JUHE_IP_KEY=你的AppKey" > scripts/.env
Prefer a protected environment variable or ensure scripts/.env is stored with restrictive permissions and is not committed, shared, or synced unintentionally.