ipdata.co

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for IP-based currency lookup, but its setup guidance includes a risky remote installer command that deserves review before use.

Review the install instructions before running them. Prefer installing the required CLI through a package manager or a pinned, verified release instead of piping a remote script into bash. Also confirm whether the action will use your current public IP address and send it to ipdata.co when you do not provide an IP explicitly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The action description explicitly says it can use the caller's current IP address, but it does not warn users that this data may be transmitted to an external third-party service. That omission can lead to unintended disclosure of personal or sensitive network-location information and prevents informed consent before execution.

External Script Fetching

High

Category: Supply Chain
Content: - **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>): ```bash curl -fsSL https://cli.oomol.com/install.sh | bash # macOS / Linux ``` ```powershell
Confidence: 97% confidence
Finding: curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal