ip-risk-scanner Security Report — Low Risk | ClawSafe

15 /100

ip-risk-scanner

IP 安全评估工具 - Analyzes IP address safety for Claude Code usage

A legitimate IP security evaluation tool that queries public IP geolocation APIs and saves reports to Obsidian. No malicious behavior detected - hardcoded IPs are legitimate test addresses and all network operations target documented public services.

Skill Nameip-risk-scanner

Duration30.6s

Enginepi

✓

Safe to install

Approve for use. Consider adding explicit allowed-tools declaration in SKILL.md for transparency. The Obsidian save path is hardcoded to a single user's vault.

Findings 3 items

Severity	Finding	Location
Low	Missing tool permission declarations Doc Mismatch SKILL.md does not declare any allowed-tools or capability requirements. The skill performs network requests and filesystem writes, but these are not documented. `No allowed-tools section found` → Add an allowed-tools declaration to SKILL.md, e.g., 'allowed-tools: Bash, Read, Write, WebFetch'	`SKILL.md:1`
Info	Hardcoded user-specific Obsidian path Priv Escalation The Obsidian save path is hardcoded to '/Users/kui/Documents/Obsidian Vault/'. This means the tool is designed for a single user's environment and will fail for other users. `OBSIDIAN_VAULT = "/Users/kui/Documents/Obsidian Vault/claude code/IP Reports"` → Make the Obsidian path configurable via environment variable or CLI argument	`scripts/ip_risk_scanner.py:33`
Info	Hardcoded example IP addresses Sensitive Access Two IPs are hardcoded as examples: 192.0.2.1 (TEST-NET-2 reserved range) and 45.129.228.121 (legitimate IP appearing in public APIs). These are standard documentation examples, not malicious IOCs. `用户输入："检查这个 IP：192.0.2.1"` → No action needed - these are legitimate test IPs documented for user guidance	`SKILL.md:109, scripts/ip_lookup.sh:11:109`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`READ`	✓ Aligned	scripts/ip_risk_scanner.py:53-61 (urllib calls to ip-api.com, ipapi.co)
Filesystem	`NONE`	`WRITE`	✓ Aligned	scripts/ip_risk_scanner.py:187-188 (writes to Obsidian vault)
Shell	`NONE`	`READ`	✓ Aligned	scripts/ip_lookup.sh:23-35 (dig, whois, nslookup commands)

2 High 24 findings

📡

High IP Address 硬编码 IP 地址

192.0.2.1

SKILL.md:109

📡

High IP Address 硬编码 IP 地址

45.129.228.121

scripts/ip_lookup.sh:11

🔗

Medium External URL 外部 URL

https://browserleaks.com/webrtc

SKILL.md:243

🔗

Medium External URL 外部 URL

https://browserleaks.com/dns

SKILL.md:244

🔗

Medium External URL 外部 URL

https://browserleaks.com/canvas

SKILL.md:245

🔗

Medium External URL 外部 URL

https://browserleaks.com/

SKILL.md:246

🔗

Medium External URL 外部 URL

https://scamalytics.com

SKILL.md:267

🔗

Medium External URL 外部 URL

https://browserleaks.com

SKILL.md:268

🔗

Medium External URL 外部 URL

https://www.augmunt.com/blog/claude-account-ban-solutions-deep-dive-2026/

SKILL.md:269

🔗

Medium External URL 外部 URL

https://blog.laozhang.ai/en/posts/claude-code-source-leak-ban-policy

SKILL.md:270

🔗

Medium External URL 外部 URL

https://browserleaks.com/fonts

references/ip-risk-guide.md:126

🔗

Medium External URL 外部 URL

http://ip-api.com/json/

references/ip-risk-guide.md:137

🔗

Medium External URL 外部 URL

https://ipapi.co/

references/ip-risk-guide.md:138

🔗

Medium External URL 外部 URL

http://ipwhois.app/json/

references/ip-risk-guide.md:139

🔗

Medium External URL 外部 URL

https://www.spamhaus.org/query/ip/

references/ip-risk-guide.md:198

🔗

Medium External URL 外部 URL

https://www.abuseipdb.com/check/

references/ip-risk-guide.md:199

🔗

Medium External URL 外部 URL

https://www.virustotal.com/gui/ip-address/

references/ip-risk-guide.md:200

🔗

Medium External URL 外部 URL

https://youverify.co/blog/ip-fraud-score

references/ip-risk-guide.md:215

🔗

Medium External URL 外部 URL

http://ip-api.com/json/$IP_ADDRESS

scripts/ip_lookup.sh:36

🔗

Medium External URL 外部 URL

https://ipapi.co/$IP_ADDRESS/json/

scripts/ip_lookup.sh:54

🔗

Medium External URL 外部 URL

https://scamalytics.com/ip/

scripts/ip_risk_scanner.py:354

🔗

Medium External URL 外部 URL

https://browserleaks.com/ip/

scripts/ip_risk_scanner.py:355

🔗

Medium External URL 外部 URL

https://whoer.net/

scripts/ip_risk_scanner.py:356

🔗

Medium External URL 外部 URL

https://ipinfo.io/

scripts/ip_risk_scanner.py:357

File Tree

4 files · 35.5 KB · 1047 lines

Markdown 2f · 491L Python 1f · 479L Shell 1f · 77L

├─ ▾ 📁 references

│ └─ 📝 ip-risk-guide.md Markdown 216L · 5.2 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 ip_lookup.sh Shell 77L · 2.6 KB

│ └─ 🐍 ip_risk_scanner.py Python 479L · 19.5 KB

└─ 📝 SKILL.md Markdown 275L · 8.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`Python standard library only`	`N/A`	stdlib	No	Uses urllib.request, json, os, datetime - no external dependencies

Security Positives

✓ No credential theft or environment variable harvesting detected

✓ No base64 encoding, obfuscation, or anti-analysis techniques found

✓ No reverse shell, C2, or data exfiltration to attacker-controlled infrastructure

✓ All network requests target legitimate, publicly documented IP lookup APIs (ip-api.com, ipapi.co)

✓ No supply chain risks - uses only Python standard library (urllib)

✓ Shell script uses standard diagnostic tools (dig, whois, nslookup, curl, ping) - all appropriate for IP analysis

✓ No hidden functionality or undocumented behavior

✓ Reports are only saved locally to the user's Obsidian vault

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives