IP Geo Location - IP归属地查询
AdvisoryAudited by VirusTotal on Mar 25, 2026.
Overview
Type: OpenClaw Skill Name: juhe-ip Version: 1.0.0 The skill bundle is a legitimate tool for querying IP address geolocation data via the Juhe (聚合数据) API. The Python script `scripts/ip_lookup.py` uses standard libraries to perform HTTP GET requests to a known service provider and includes robust logic for identifying private/reserved IP ranges to avoid unnecessary API calls. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network observer, proxy, or intermediary could see the API key and IPs being queried, potentially allowing quota abuse or disclosure of lookup activity.
The script places the Juhe API key and queried IP address into the URL query string and sends it to an HTTP, not HTTPS, endpoint.
API_URL = "http://apis.juhe.cn/ip/ipNewV3" ... params = urllib.parse.urlencode({"key": api_key, "ip": ip})Change the endpoint to HTTPS before use, avoid putting credentials in URLs where possible, and rotate the Juhe API key if it has already been used through this script.
The key may remain on disk and could be read by other local processes or exposed if the skill directory is shared or backed up.
The skill documents an option to store the provider API key in a local .env file.
echo "JUHE_IP_KEY=你的AppKey" > scripts/.env
Prefer a protected environment variable or ensure scripts/.env is stored with restrictive permissions and is not committed, shared, or synced unintentionally.