IP Geo Location - IP归属地查询
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network observer, proxy, or intermediary could see the API key and IPs being queried, potentially allowing quota abuse or disclosure of lookup activity.
The script places the Juhe API key and queried IP address into the URL query string and sends it to an HTTP, not HTTPS, endpoint.
API_URL = "http://apis.juhe.cn/ip/ipNewV3" ... params = urllib.parse.urlencode({"key": api_key, "ip": ip})Change the endpoint to HTTPS before use, avoid putting credentials in URLs where possible, and rotate the Juhe API key if it has already been used through this script.
The key may remain on disk and could be read by other local processes or exposed if the skill directory is shared or backed up.
The skill documents an option to store the provider API key in a local .env file.
echo "JUHE_IP_KEY=你的AppKey" > scripts/.env
Prefer a protected environment variable or ensure scripts/.env is stored with restrictive permissions and is not committed, shared, or synced unintentionally.