groundapi_context_aware Security Report — Low Risk | ClawSafe

20 /100

groundapi_context_aware

Context-aware daily assistant — auto-detect user location via IP, provide local weather, track packages, and offer lifestyle tips. Powered by GroundAPI MCP tools.

A purely declarative SKILL.md using only documented MCP tools with no local execution, scripts, or hidden functionality.

Skill Namegroundapi_context_aware

Duration23.9s

Enginepi

✓

Safe to install

Approve for use. The hardcoded IP 8.8.8.8 is a benign documentation example. No local execution or credential exfiltration detected.

Findings 2 items

Severity	Finding	Location
Low	Hardcoded IP address 8.8.8.8 in documentation example Line 100 of SKILL.md uses 8.8.8.8 as an example IP address to demonstrate the life_ip() tool. This is a well-known public DNS resolver IP used for documentation purposes and poses no security risk. 调用 `life_ip(address="8.8.8.8")` 或 `life_ip()`（查自己） → No action needed. This is a legitimate documentation example. Consider using a more neutral IP (e.g., 1.1.1.1) to avoid any association concerns.	`SKILL.md:100`
Low	External service dependencies declared The skill depends on external GroundAPI MCP service (mcp.groundapi.net/sse) and its upstream weather/logistics providers. These are declared in SKILL.md configuration example. `"url": "https://mcp.groundapi.net/sse"` → No action needed. Dependencies are clearly documented.	`SKILL.md:29`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write operations present — SKILL.md only
Network	`READ`	`READ`	✓ Aligned	All network activity routed through documented MCP tools (life_ip, life_weather,…
Shell	`NONE`	`NONE`	—	No subprocess, bash, or shell execution of any kind
Environment	`READ`	`READ`	✓ Aligned	GROUNDAPI_KEY declared in metadata.requires.env — not iterated or exfiltrated
Skill Invoke	`READ`	`READ`	✓ Aligned	Only invokes documented MCP tools: life_ip, life_weather, life_logistics, info_n…
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

1 High 3 findings

📡

High IP Address 硬编码 IP 地址

8.8.8.8

SKILL.md:100

🔗

Medium External URL 外部 URL

https://groundapi.net

SKILL.md:9

🔗

Medium External URL 外部 URL

https://mcp.groundapi.net/sse

SKILL.md:29

File Tree

1 files · 3.3 KB · 132 lines

Markdown 1f · 132L

└─ 📝 SKILL.md Markdown 132L · 3.3 KB

Security Positives

✓ Only SKILL.md — no scripts, no dependencies, no executable code

✓ All capabilities routed through documented MCP tools only

✓ API key (GROUNDAPI_KEY) is properly declared in metadata

✓ No local filesystem, shell, or environment variable access

✓ No credential harvesting or exfiltration

✓ No base64, eval, curl|bash, or other high-risk patterns

✓ Feature scope is narrow and clearly documented

Scan Report

Findings 2 items

File Tree

Security Positives