Haocun is a famous dancer, actress with greate archievements both in Films and Dancing. She is living in a dream of Clawra. Clawra is the closest assistant f...
Security Analysis
high confidenceThe skill is internally consistent with an IP/geolocation lookup: it calls public IP services and parses results; nothing indicates covert data exfiltration or unrelated privileges.
Name/description match the behavior: the skill queries public-IP and geolocation APIs (myip.ipip.net, api.ipify.org, ifconfig.me, icanhazip.com, ipinfo.io) and formats the results. The included scripts implement exactly that purpose.
Instructions explicitly direct the agent (or user) to make outbound HTTP requests to public IP/geolocation endpoints. This is expected for the stated purpose, but it means third-party services will see and may log the user's public IP and request metadata. Also, SKILL.md and get_ip.sh rely on curl and the script uses python3 for JSON parsing, but the skill metadata declared no required binaries — a small inconsistency that could cause runtime failures if curl or python3 are not present.
No install spec is provided (instruction-only). Code files are present but the packaging script merely validates and zips the skill; nothing is downloaded from arbitrary URLs or installed system-wide. Risk from installation is low.
The skill requests no environment variables, credentials, or config paths. It only makes network calls to public IP/geolocation services, which is proportionate to its purpose.
The skill is not marked always:true and does not attempt to modify other skills or system-wide configuration. It does not request persistent elevated privileges.
Guidance
This skill simply queries public IP and geolocation APIs and prints results. Before installing or running it, consider: 1) Privacy: the external services (myip.ipip.net, api.ipify.org, ipinfo.io, etc.) will see and may log your public IP and request metadata — avoid if you require anonymity. 2) Dependencies: the metadata lists no required binaries, but the script uses curl and python3; ensure those are available on the host. 3) Review the get_ip.sh file (it's short and plain) if you want to confirm there are no unexpected network calls. If you prefer tighter control, run the script locally instead of granting an agent autonomous execution, or replace services with ones you trust.
Latest Release
v1.0.5
- Major update: Skill purpose changed from IP lookup to generating and sending Haocun (dancer/actress) selfie snapshots via OpenClaw to messaging channels. - New background story and usage context centered on "Haocun" and "Clawra". - Comprehensive usage instructions added, including prompt modes for selecting images and integration with OpenClaw CLI/API. - Instructions for sending images to WhatsApp, Signal, and other platforms detailed. - File structure reorganized: new scripts, templates, configuration, and documentation files added; obsolete IP-related files removed.
More by @qidu
Published by @qidu on ClawHub
