ClawHub

ip-locator

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised IP geolocation lookup, but users should understand that queried IPs are sent to ip-api.com over unencrypted HTTP.

Install only if you are comfortable with looked-up IP addresses, and possibly your current public IP, being sent to ip-api.com over unencrypted HTTP. Avoid using it for sensitive investigations or confidential network targets unless you first replace the provider or transport with a privacy-reviewed HTTPS option.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documents executable shell commands (`curl` and script invocation) but does not declare corresponding permissions or capabilities in a way users can review up front. This weakens transparency and consent, increasing the chance that an agent executes network-capable shell actions without the user clearly understanding the operational scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends queried IPs, and potentially the user's own current public IP, to the third-party service ip-api.com without prominently warning about that disclosure. Because IP addresses can be sensitive operational or personal data, this creates a privacy risk and may expose internal investigative targets or user network metadata to an external provider.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples demonstrate sending IP addresses to ip-api.com, a third-party geolocation service, but do not warn that queried IPs may be personal data and will be disclosed externally. In the context of an agent skill that may query a user's current public IP or arbitrary addresses on their behalf, this omission can lead to privacy harm and uninformed data sharing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script transmits the queried IP address, or the user's current public IP when no argument is provided, to a third-party geolocation service without an explicit notice or consent step. It also uses plain HTTP rather than HTTPS, so the IP query and response can be observed or modified in transit, increasing privacy and integrity risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal