get-my-location Security Report — Low Risk | ClawSafe

10 /100

get-my-location

Get current IP geolocation with 3-tier fallback (freegeoip.app → api.ipbase.com → ip-api.com). No API key required.

A straightforward IP geolocation tool that queries three public APIs (freegeoip.app, ipbase, ip-api.com) and returns location data; no malicious behavior, credential access, or hidden functionality.

Skill Nameget-my-location

Duration31.5s

Enginepi

✓

Safe to install

No action required. Consider removing the hardcoded real IP address (222.89.92.62) from SKILL.md examples to avoid inadvertently disclosing a specific user's IP.

Findings 2 items

Severity	Finding	Location
Low	Hardcoded real IP address in documentation example Doc Mismatch SKILL.md line 50 shows IP 222.89.92.62 with city-level precision (Xinxiang, Henan) as the example output. This appears to be a real user's IP address rather than a synthetic example, which could inadvertently expose someone's approximate location in the documentation. `IP 地址: 222.89.92.62` → Replace the hardcoded IP example with a clearly synthetic/reserved IP (e.g., 203.0.113.1) or a well-known public DNS server IP to avoid real-user data exposure in docs.	`SKILL.md:50`
Low	HTTP (non-TLS) endpoint in fallback chain Sensitive Access The third fallback source (ip-api.com) uses http:// instead of https://, meaning the IP address is sent in plaintext over the network. `url = "http://ip-api.com/json/"` → Use https://ip-api.com/json/ instead. The ip-api.com service supports HTTPS and plaintext HTTP is an unnecessary privacy leak.	`scripts/location.py:87`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	scripts/location.py:59-99 — HTTP GETs to 3 public geolocation APIs, fully declar…
Shell	`NONE`	`NONE`	—	No subprocess/Popen/eval/exec usage found — uses only stdlib urllib
Filesystem	`NONE`	`NONE`	—	No file open/write operations — purely reads from network
Environment	`NONE`	`NONE`	—	No os.environ iteration or credential access
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access
Skill Invoke	`NONE`	`NONE`	—	No skill invocation

2 High 5 findings

📡

High IP Address 硬编码 IP 地址

8.8.8.8

SKILL.md:27

📡

High IP Address 硬编码 IP 地址

222.89.92.62

SKILL.md:50

🔗

Medium External URL 外部 URL

https://freegeoip.app/json/

scripts/location.py:59

🔗

Medium External URL 外部 URL

https://api.ipbase.com/v1/json/

scripts/location.py:73

🔗

Medium External URL 外部 URL

http://ip-api.com/json/

scripts/location.py:87

File Tree

3 files · 8.0 KB · 280 lines

Python 1f · 174L Markdown 1f · 92L JSON 1f · 14L

├─ ▾ 📁 scripts

│ └─ 🐍 location.py Python 174L · 5.4 KB

├─ 📋 _meta.json JSON 14L · 464 B

└─ 📝 SKILL.md Markdown 92L · 2.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`None (stdlib only)`	`N/A`	stdlib	No	No pip/conda packages required — only Python 3.6+ standard library

Security Positives

✓ Uses only Python stdlib (urllib, json, sys) — no external dependencies, no pip install, no supply chain risk

✓ No subprocess, shell execution, eval, or exec calls

✓ No credential harvesting, no environment variable scanning

✓ No obfuscation (base64, rot13, encoded strings, etc.)

✓ Behavior is fully declared in SKILL.md — doc-to-code alignment is strong

✓ All network calls are to well-known public geolocation APIs consistent with the stated purpose

✓ No filesystem writes, no sensitive path access (~/.ssh, ~/.aws, .env, etc.)

✓ No persistence mechanisms (no cron, no startup hooks, no backdoor installation)

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives