GeoInfer Image Geolocation

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This looks like a straightforward GeoInfer API wrapper, but it uploads chosen local images to an external service and uses an API key that may consume credits.

Install only if you are comfortable using GeoInfer’s external API. Use a dedicated API key, monitor credit usage, and submit only images you are allowed to share with the provider.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Low

What this means

Using the skill can consume GeoInfer credits and exposes the API key to the GeoInfer API endpoint during requests.

Why it was flagged

The script sends the required GeoInfer API key to the provider as an authentication header; this is expected for the service but gives the skill access to the account/credits tied to that key.

Skill content

-H "X-GeoInfer-Key: $GEOINFER_API_KEY"

Recommendation

Use a dedicated GeoInfer API key if possible, monitor credit usage, and avoid placing the key in shared shell history or logs.

#ASI07: Insecure Inter-Agent Communication

Medium

What this means

Private or sensitive photos submitted to the tool will be sent to GeoInfer, and the returned result may reveal or infer location information.

Why it was flagged

The prediction command uploads the local file path supplied by the user to an external provider API for analysis.

Skill content

curl -s -X POST "https://api.geoinfer.com/v1/prediction/predict?model_id=${MODEL_ID}&top_n=${TOP_N}" \
    -H "X-GeoInfer-Key: $GEOINFER_API_KEY" \
    -F "file=@${IMAGE_PATH}"

Recommendation

Only run predictions on images you are comfortable sending to GeoInfer, and avoid uploading sensitive personal, confidential, or restricted images.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Users have less external context for verifying who maintains the skill or whether api.geoinfer.com is the intended service endpoint.

Why it was flagged

The package does not provide a source repository or homepage in the supplied metadata, limiting provenance checks even though the included scripts are simple and visible.

Skill content

Source: unknown
Homepage: none

Recommendation

Verify the provider and API key signup page independently before installing or using the skill.