Wondering the reliability of Canary tokens

Hi, as one of the features in Canary tokens is scanning the target ip address. It starts to make me wonder that can’t the writer of the site can use the same way to get our public ip address as a user? And it makes me wonder that this could use as a various way in attack, you could do the same thing to your word files and send it to your friends, workmates, boss and get their ip address? So is Canary token really safe?

Yes they can be used like that and they have. I have had messages from people telling me they found a kidnapped child and stalker by sending them a tokens.

Can someone still get your IP address even if you are using a VPN when requesting a token? I know Tor states that you shouldn’t open documents while you are using Tor - does the same thing apply when using your VPN?

It depends if the browser used is using Tor or a VPN. Or if the DNS request uses the VPN or Tor. Yes there is a chance of a leak. More so with Tor unless you use Whonix or Tails.