ClawHub

Ip Geo Location Skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it looks up public IP geolocation through a disclosed external MCP service, with no evidence of hidden persistence, credential access, or unrelated behavior.

Reasonable to install for public IP and public domain geolocation. Avoid using it for sensitive internal infrastructure details unless you are comfortable with DNS lookups and public IP addresses being sent to the disclosed external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly performs outbound network operations by calling an external MCP service at `https://ip.api4claw.com/mcp`, but no explicit permission declaration is present. This creates a transparency and governance gap: users or hosting platforms may not realize the skill transmits queried IPs and possibly derived domain-resolution data to a third party, increasing privacy and policy-compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly directs use of a third-party HTTPS endpoint for IP lookups, which means user-supplied IP addresses are transmitted off-platform to an external service. Even though IP geolocation inherently requires querying a geo-IP provider and the endpoint is fixed rather than attacker-controlled, the lack of any user-facing privacy notice or data handling warning creates a real privacy and compliance risk because IP addresses can be personal data in some jurisdictions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal