Skip to main content
Glama

IP Lookup

ip_lookup
Read-onlyIdempotent

Query an IP to obtain its geo, ASN, reverse DNS, open ports, hostnames, vulnerabilities, cloud provider, Tor exit status, reputation, and risk score from multiple sources.

Instructions

Query comprehensive IP intelligence: reverse DNS, ASN + holder name + country inline (RIPE Stat, Phase 1), open ports, hostnames, vulnerabilities (Shodan InternetDB enriched with severity + cvss_v3 from local cve.db — Phase 2 v1.16.0 BREAKING; vulns is now list[VulnInfo] {cve_id, severity, cvss_v3} dicts, pre-1.16 it was list[str] of CVE IDs; unknown CVEs emit severity='UNKNOWN' / cvss_v3=null — do NOT infer benign), cloud provider, Tor exit status, and reputation. cloud_provider uses two-tier detection: published cloud CIDR ranges (AWS/GCP/Cloudflare) first, then an ASN-to-provider fallback map for anycast/public-service IPs outside published ranges (e.g. 8.8.8.8 → AS15169 → 'Google'). Reputation: FireHOL level1 blocklist on Free tier; +AbuseIPDB + Shodan on Pro (Phase 4). Use for IP investigation; for orchestrated IP+reputation use threat_report. Response is null-explicit: every field is always present (cloud_provider=null when neither tier matches; tor_exit=false when not listed or upstream fetch failed — check verdict.sources_unavailable to disambiguate fetch failure from genuine absence). Response carries next_calls (conditional) — asn_lookup when ASN is populated, ioc_lookup when reputation is FireHOL-listed or AbuseIPDB confidence>50, threat_report on Pro tier for orchestrated profile. Free: 30/hr, Pro: 500/hr. Returns {ip, ptr, geo, asn, asn_name, country, ports, hostnames, vulns, cloud_provider, tor_exit, reputation, risk_score, verdict, next_calls}.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
ipYesIPv4 or IPv6 address to investigate (e.g. '8.8.8.8', '2606:4700::1111')

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations (readOnlyHint, openWorldHint, idempotentHint, destructiveHint=false) are complemented by extensive behavioral details: null-explicit response fields, two-tier cloud_provider detection, tor_exit false on fetch failure vs genuine absence, next_calls logic, version-breaking changes for vulns field format, and severity handling. No contradictions with annotations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness3/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is long and dense with information. While every sentence adds value, the sheer length and run-on style reduce readability. It could benefit from structured formatting (e.g., bullet points) or segmentation by topic. Front-loading is good but overall conciseness suffers.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity of the tool (many response fields, conditional behaviors, version history), the description is thorough. It explains every field's behavior, null handling, and next_calls, making it complete for agent usage. The output schema exists but is not needed given the detailed prose.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The single parameter 'ip' is described in schema (IPv4 or IPv6). The description adds examples ('8.8.8.8', '2606:4700::1111') and context about its purpose, providing value beyond the schema's brief description. Schema coverage is 100%, so baseline is 3; the extra examples increase it to 4.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description uses a specific verb ('Query') and resource ('comprehensive IP intelligence'), listing numerous data points (reverse DNS, ASN, ports, vulnerabilities, etc.). It clearly distinguishes from siblings like asn_lookup, ioc_lookup, and threat_report by stating 'Use for IP investigation; for orchestrated IP+reputation use threat_report.'

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly says 'Use for IP investigation; for orchestrated IP+reputation use threat_report.' It includes rate limits (Free 30/hr, Pro 500/hr) and mentions triggers for next_calls (asn_lookup, ioc_lookup, threat_report). However, it does not explicitly state when not to use this tool beyond the alternative mention.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/UPinar/contrastapi'

If you have feedback or need assistance with the MCP directory API, please join our Discord server