ClawHub

原仓IP分析

ReviewAudited by ClawScan on May 12, 2026.

Overview

The skill matches its stated IP-analysis purpose, but it asks users to send a paid bearer token to a raw IP address over unencrypted HTTP.

Install only if you trust the 原仓IP provider and are comfortable with per-query charges. Prefer an HTTPS endpoint, use a limited or revocable token, and avoid sending the token over plain HTTP networks.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI07: Insecure Inter-Agent Communication
What this means

A paid access token and the IP names being queried could be exposed on the network or sent to an unverified endpoint.

Why it was flagged

The MCP endpoint is plain HTTP and uses an Authorization bearer token, so the token and IP-query traffic are not protected by TLS and the server identity is not validated by HTTPS.

Skill content
"url": "http://39.108.187.200:5210/yc_data/get_ip_data", "headers": { "Authorization": "Bearer sk-token" }
Recommendation

Do not use the token with this HTTP endpoint unless you trust the network and provider; ask for an HTTPS endpoint with a verifiable domain, use a limited/revocable token, and monitor charges.

Low
#ASI03: Identity and Privilege Abuse
What this means

Using the skill may spend balance from the configured account whenever the data tool is called.

Why it was flagged

The skill requires a bearer token for a paid data service, and each query consumes balance. This is purpose-aligned, but it gives the agent access to an account/billing credential.

Skill content
"Authorization": "Bearer sk-token" ... "token需要进行充值才能使用,查询一次扣一次"
Recommendation

Confirm pricing and approval expectations before use, keep the token scoped and revocable, and avoid configuring a token with broader privileges than necessary.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users must trust the external MCP server to return accurate data and handle requests appropriately.

Why it was flagged

The instruction-only skill depends on a remote MCP service at a raw IP address; the reviewed artifacts do not include the server implementation or strong provenance for that provider.

Skill content
"type": "http", "url": "http://39.108.187.200:5210/yc_data/get_ip_data"
Recommendation

Verify the provider, endpoint, and service terms before configuring the MCP server.