ClawHub

Public Ip

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it checks the machine’s public IP using public lookup services, with no hidden persistence or credential access found.

Install this only if it is acceptable for your environment to contact public IP lookup providers such as ipify, ifconfig.me, ipapi.co, and api.myip.com. Avoid using it on restricted, corporate, or anonymity-sensitive networks where revealing the public egress IP or lookup activity to third parties is a concern.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly instructs execution of a script that contacts multiple external IP-discovery services, yet the skill metadata shown does not declare network permissions. This creates a transparency and governance gap: users or policy engines may not realize the skill performs outbound requests, and execution will disclose the host's public IP and request metadata to third parties.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description presents public-IP lookup as routine but omits that it works by sending outbound requests to third-party services such as ipify and ifconfig.me. That omission matters because the act of querying inherently reveals the machine's public IP and related request metadata to external parties, which can be sensitive in restricted, corporate, or anonymity-sensitive environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This skill makes outbound requests to third-party IP-discovery services without any disclosure, consent, or warning to the user. Even though the purpose of the skill is to determine the public IP, contacting multiple external services exposes the host's network metadata and user agent to unrelated providers, which can create privacy, compliance, and observability risks in environments where outbound network access is sensitive.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal