ip-locator
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to only perform IP location lookups, but it sends lookup requests to ip-api.com over unencrypted HTTP.
This skill is reasonable to install if you are comfortable with ip-api.com receiving the IPs you look up and with the lookup traffic being unencrypted. Avoid using it for sensitive investigations where queried IPs or returned network details must remain confidential.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone on the network path could see or alter lookup traffic, and ip-api.com will receive the IPs being looked up.
The helper script sends IP lookup requests to an external provider over plain HTTP. This is aligned with the skill's purpose, but it exposes the queried IP/current public IP and response contents to the provider and potentially to network observers.
API_BASE="http://ip-api.com/json" ... local response=$(curl -s "$url")
Use this for non-sensitive lookups only; for confidential investigations, prefer an HTTPS-capable/geolocation provider or ip-api.com's paid HTTPS option.