Back to skill
Skillv1.0.1
ClawScan security
ip-locator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 11:16 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill appears to do what it says—query ip-api.com for IP geolocation—and its files are straightforward, but note a few minor inconsistencies and privacy/network considerations before installing.
- Guidance
- This skill is a simple IP geolocation helper that contacts ip-api.com. Before installing or running it: (1) be aware that queries (including your machine's public IP if you run it without arguments) are sent to a third party; (2) the script uses HTTP (not HTTPS) by default—this can be intercepted on the network—so avoid sending sensitive data and consider switching to a secure endpoint if available; (3) ensure curl and python3 are available on the host (they are used but not declared); (4) respect the API rate limits (60/min, 4500/day) and don't use it for bulk automated queries without upgrading to a paid plan; and (5) review the script yourself or run it in an isolated environment if you are concerned about network calls.
Review Dimensions
- Purpose & Capability
- noteThe skill's purpose (IP geolocation via ip-api.com) matches the included scripts and documentation. However, the package declares no required binaries while the script uses curl and python3 for formatting; those runtime dependencies are expected but not declared.
- Instruction Scope
- noteSKILL.md and the script limit actions to calling ip-api.com and formatting the response. They do not read other files or environment variables. Important privacy note: when run with no arguments the script will query the current public IP, sending that IP to ip-api.com. The script uses plain HTTP (http://ip-api.com) by default, which may expose queries to network interception—this is a documented limitation of the free service.
- Install Mechanism
- okThere is no install specification (instruction-only plus a utility script). No downloads from third-party URLs or archive extraction are performed. The only file that will be executed is the included script.
- Credentials
- noteThe skill requests no credentials or config paths, which is appropriate. It nevertheless performs outbound network requests to ip-api.com and will transmit queried IP addresses (including the host's public IP). Also, it relies on curl and python3 at runtime even though no env/binary requirements are declared.
- Persistence & Privilege
- okThe skill does not request persistent or elevated privileges, is not always-enabled, and does not modify other skills or system-wide settings.