Back to skill

Security audit

ip lookup ( get ip )

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised public IP and approximate location lookup, but it contacts third-party IP services as part of that work.

Install only if you are comfortable with your public IP address being sent to third-party IP lookup and geolocation services. For vague requests like "where am I," confirm you want an IP-based location check before letting the skill run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes shell commands (`curl`) and therefore has execution/network capabilities that are not explicitly declared or warned about. This is dangerous because the skill will transmit the user's public IP and related metadata to third-party services, creating an undeclared privacy and capability boundary that users and policy controls may not expect.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include broad requests like 'Where am I?', 'Where am I located?', and 'Locate me', which can match common conversational queries not specifically asking for IP-based geolocation. This is dangerous because it can cause the skill to activate unexpectedly and send the user's public IP to external services without clear, informed intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill does not warn users that it sends their public IP address to third-party services such as myip.ipip.net, ipify, ifconfig.me, and ipinfo.io. This is dangerous because IP addresses are sensitive network metadata, and sharing them externally can expose approximate location, ISP, and usage patterns without explicit user awareness or consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends requests to multiple third-party IP lookup services, which necessarily disclose the user's public IP address and related metadata to those services without any meaningful privacy notice or consent flow. In the context of an IP lookup skill this behavior is functionally expected, but it still creates a real privacy issue because the user's network information is shared externally and across multiple providers.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.