ClawHub

ip lookup ( get ip )

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says by checking public IP and approximate location, but users should know it contacts third-party IP lookup services.

Install this only if you are comfortable with your public IP address being queried by third-party IP lookup providers such as ipify, ifconfig.me, ipinfo.io, or similar services. For ambiguous requests like "where am I," confirm you want an IP-based location lookup before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell commands (`curl`) to contact external services, yet it declares no permissions or equivalent user-visible capability notice. This creates a transparency and governance problem: reviewers and users may not realize the skill performs network-active operations that expose the user's public IP to third parties.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Trigger phrases like 'Where am I?', 'Where am I located?', and 'Get location' are overly broad and may cause the skill to activate for requests unrelated to public-IP lookup. That can lead to surprising external network calls and unintended disclosure of the user's public IP to third-party services when the user did not specifically consent to an IP-based location check.

Missing User Warnings

High
Confidence
97% confidence
Finding
The workflow sends the user's public IP to multiple third-party services (`myip.ipip.net`, `icanhazip.com`, `api.ipify.org`, `ifconfig.me`, `ipinfo.io`) without any explicit user-facing warning in the skill description or workflow text. Public IP and geolocation data are privacy-sensitive, and undisclosed sharing can violate user expectations, organizational policy, or compliance requirements.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends requests to multiple third-party IP discovery and geolocation services, which necessarily disclose the user's public IP and related metadata to external providers. In the context of a skill that exists specifically to look up public IP information this behavior is expected, but it is still a real privacy risk because the script provides only a generic status message and no explicit disclosure or consent before contacting those services.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal