ClawHub

ip-lookup

v1.0.1

Lookup IP address or hostname details including geolocation, ASN/ISP, reverse DNS, RDAP/WHOIS network info, and optional AbuseIPDB reputation check without A...

0· 302·5 current·6 all-time
by@michaelzhangty
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the code and SKILL.md: geolocation (ip-api/ipwho.is), PTR (dns.google), RDAP (ARIN/RIPE) and optional AbuseIPDB checks. The declared runtime requirement (python3) aligns with the provided Python script; no unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md and the script limit actions to network lookups for the target (DNS resolution, HTTP RDAP/geo/abuse queries). Note: every lookup sends the target IP/hostname to third-party services (ip-api.com, ipwho.is, dns.google, rdap.arin.net/ripe, and optionally api.abuseipdb.com), which is expected for this purpose but may reveal investigation targets to those providers.
Install Mechanism
No install spec; the skill is instruction-only and ships a standalone Python script that uses only the standard library. Nothing is downloaded or written to disk at install time beyond the included files.
Credentials
No required environment variables. The only sensible optional credential is ABUSEIPDB_KEY for the optional AbuseIPDB panel, which the SKILL.md documents. This is proportionate to the stated optional feature; no unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide privileges. It does not modify other skills or system configuration.
Assessment
This skill appears internally consistent and uses only standard Python libraries. Before installing/running, consider: (1) network lookups send the queried IP/hostname to public third-party services — avoid using it on sensitive internal/private addresses if you don't want that data shared, and expect rate limits; (2) if you enable the AbuseIPDB option you must set ABUSEIPDB_KEY — treat that key as sensitive; (3) you can inspect the bundled scripts (they are included) — they appear to only perform the described lookups. If you need an offline or privacy-preserving workflow, do not enable the script or run it in a restricted environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eaj8zfamww7mv873gxakppx82mhp8
302downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
@michaelzhangty
latest
Download

name: ip-lookup description: Investigate any IP address or hostname - geolocation, ASN/ISP, reverse DNS (PTR), RDAP/WHOIS network block, and optional AbuseIPDB reputation check. No API keys needed for core features. Use when the user asks about an IP address, wants to geolocate an IP, look up who owns a network block, find the ISP or ASN for an IP, check abuse reputation, or do a reverse DNS lookup. Trigger phrases include "who owns this IP", "where is this IP located", "look up IP", "check if IP is malicious", "reverse DNS for", "what ASN is", "whois for IP". metadata: {"openclaw":{"emoji":":mag:","requires":{"bins":["python3"]}}}

IP Lookup

Zero-dependency network intelligence for any IP address or hostname. Combines four data sources into one clean terminal report: geolocation, reverse DNS, RDAP/WHOIS network block info, and optional AbuseIPDB reputation check.

No pip install required. Uses only Python 3 stdlib (urllib, socket, json, argparse). Works on any machine that has Python - no virtual environments, no dependency management.

Quick Start

python3 {baseDir}/scripts/ip_lookup.py 8.8.8.8
python3 {baseDir}/scripts/ip_lookup.py github.com

For a hostname, it auto-resolves to IP first, then runs all lookups.

What each panel shows

[Geo] Geolocation (always on)

Queries ip-api.com (45 req/min free, no key). Falls back to ipwho.is if ip-api.com fails.

Returns:

  • Country, country code, region, city, postal/ZIP code
  • Latitude and longitude coordinates
  • Timezone (e.g. America/ New_York)
  • ISP name and organisation
  • ASN in "AS12345 Name" format
  • Flags: PROXY, HOSTING/VPN, MOBILE - detected by ip-api.com heuristics

Example output for 8.8.8.8: IP Address 8.8.8.8 Country United States [US] Region Virginia City Ashburn Timezone America/New_York ISP Google LLC Org Google Public DNS ASN AS15169 Google LLC Flags HOSTING/VPN

[PTR] Reverse DNS (on by default, skip with --no-ptr)

Queries dns.google for the PTR record of the IP. Converts the IP to in-addr.arpa form internally. Returns the hostname if one exists, or "(no PTR record)" if none.

Useful for: identifying server hostnames, recognising CDN edge nodes (e.g. server- 13-35-12-1.fra50.r.cloudfront.net), confirming FCrDNS (forward-confirmed reverse DNS).

[RDAP] RDAP / WHOIS (on by default, skip with --no-rdap)

Queries rdap.arin.net first. Falls back to rdap.db.ripe.net for European IPs.

Returns:

  • Network name - registered handle for the IP block (e.g. APNIC-LABS, MSFT)
  • CIDR block(s) - prefix in CIDR notation (e.g. 1.1.1.0/24)
  • Abuse contact name and email - extracted from RDAP entities where roles includes "abuse"
  • Registration date and Last changed date

Example output for 1.1.1.1: Network Name APNIC-LABS CIDR Block(s) 1.1.1.0/24 Abuse Email helpdesk@apnic.net Registration 2011-08-10 Last Changed 2023-04-26

[Abuse] AbuseIPDB reputation (optional, requires free API key)

Queries api.abusei pdb.com with 90-day lookback. Returns:

  • Abuse confidence score 0-100 (0 = clean, 100 = confirmed malicious)
  • Total reports in past 90 days
  • Last reported timestamp
  • Usage type (e.g. Data Center/Web Hosting/Transit)
  • Domain associated with the IP

Score guide:

  • 0 = no reports, likely clean
  • 1-25 = low risk, possibly misconfigured server
  • 26-75 = suspicious, investigate further
  • 76-100 = high confidence malicious (scanner, spam source, Tor exit node, etc.)

All flags

FlagEffect
--jsonFull result as JSON (no ANSI codes, safe to pipe)
--abuseEnable AbuseIPDB panel (needs ABUSEIPDB_KEY env var)
--no-rdapSkip RDAP/WHOIS (faster, avoids rate limits)
--no-ptr
Skip reverse DNS PTR lookup

Common workflows

Fast geo-only lookup: python3 {baseDir}/scripts/ip_lookup.py 104.21.0.1 --no-rdap --no-ptr

Find abuse contact for a network: python3 {baseDir}/scripts/ip_lookup.py 185.220.101.1

Check if IP is flagged malicious: export ABUSEIPDB_KEY=your_key python3 {baseDir}/scripts/ip_lookup.py 185.220.101.1 --abuse

Scripting with JSON output: python3 {baseDir}/scripts/ip_lookup.py 8.8.8.8 --json | python3 -c
"import json,sys; d=json.load(sys.stdin); print(d['geo']['country'], d['geo']['as'])"

Investigate a hostname (auto-resolves): python3 {baseDir}/scripts/ip_lookup.py suspicious-domain.example.com

AbuseIPDB setup (one-time)

  1. Sign up free at https://www.abuseipdb.com/register
  2. Go to API tab in y our dashboard and create a key (free tier: 1000 checks/day)
  3. Run: export ABUSEIPDB_KEY=your_key_here

Technical notes

  • ANSI colour output is auto-disabled when stdout is not a TTY (pipes, CI, logs)
  • IPv6 addresses are supported for geolocation and RDAP; PTR lookup is IPv4-only
  • RDAP tries ARIN first (global coverage), retries RIPE directly if no data returned
  • ip-api.com rate limit: 45 requests/minute on the free tier; auto-falls back to ipwho.is
  • No caching - all calls are live; use --no-rdap --no-ptr for bulk queries
  • Script uses only Python 3 stdlib - no pip install needed

Comments

Loading comments...