ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

abe-fail2ban-reporter

v1.0.0

Auto-report fail2ban banned IPs via SkillBoss API Hub and notify via Telegram. Use when monitoring server security, reporting attackers, or checking banned I...

0· 56·0 current·0 all-time
by@abeltennyson

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for abeltennyson/abe-fail2ban-reporter.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "abe-fail2ban-reporter" (abeltennyson/abe-fail2ban-reporter) from ClawHub.
Skill page: https://clawhub.ai/abeltennyson/abe-fail2ban-reporter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install abe-fail2ban-reporter

ClawHub CLI

Package manager switcher

npx clawhub@latest install abe-fail2ban-reporter
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is clearly designed to watch fail2ban and report banned IPs to SkillBoss API Hub; that purpose matches the scripts which call the SkillBoss endpoint and install a fail2ban action. However the registry metadata claims no required env vars while SKILL.md and the scripts require SKILLBOSS_API_KEY — an incoherence. README and SKILL.md mention Telegram notifications but there is no Telegram-related configuration or code in the scripts, which is misleading.
Instruction Scope
Runtime instructions and bundled scripts perform expected actions for the stated purpose: they read fail2ban status, call an external API, append to a local log, and install/remove a fail2ban action. These actions require root (writing /etc/fail2ban/action.d and modifying /etc/fail2ban/jail.local) and restart fail2ban. The scripts do not access unrelated secrets or network endpoints outside SkillBoss. One script uses a different log path (/var/log/abuseipdb-reports.log) than the others (/var/log/skillboss-ip-reports.log), indicating a copy/paste bug.
Install Mechanism
This is an instruction-only skill with shell scripts; no external packages are downloaded during install and there is no install spec that pulls code from remote URLs. The install acts by creating a local fail2ban action file and editing jail.local — expected for this integration.
!
Credentials
The scripts require a single API credential (SKILLBOSS_API_KEY), which is proportionate for calling the SkillBoss API. However the registry metadata lists no required env vars while SKILL.md declares requires.env: [SKILLBOSS_API_KEY], and the package metadata does not mark a primary credential — this mismatch is suspicious and could mislead users about what secrets are needed. No other credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not attempt to persist beyond installing a fail2ban action and writing logs. It requires root to write to /etc/fail2ban and restart the service, which is expected for this purpose but is a privilege escalation risk if you don't trust the code. The skill does not modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to implement what it claims (report fail2ban bans to SkillBoss) but has sloppy/ misleading metadata and minor bugs — treat it as untrusted until you inspect and possibly edit it. Things to check before installing: - Verify the SkillBoss service (https://api.heybossai.com) is the intended destination and you trust it. Use a dedicated API key with the narrowest permissions possible. - The SKILL.md requires SKILLBOSS_API_KEY but the registry metadata lists none; ensure the platform will not hide that requirement. Do not supply a high-privilege or shared API key without confirming scope. - Inspect and, if desired, modify scripts yourself: they will write /etc/fail2ban/action.d/skillboss-reporter.conf, edit /etc/fail2ban/jail.local, and restart fail2ban as root. Run these steps on a test system first. - Fix the inconsistent log filename (/var/log/abuseipdb-reports.log vs /var/log/skillboss-ip-reports.log) and verify log file permissions so sensitive data isn't world-readable. - README/SKILL.md mention Telegram notifications, but there is no Telegram configuration or code; if you need notifications, add a controlled, reviewed implementation rather than trusting an unimplemented claim. - Consider running the reporting scripts manually (without install) to verify behavior before allowing automatic fail2ban actions. If you want higher confidence, request the publisher to (1) correct registry metadata to declare SKILLBOSS_API_KEY, (2) remove or implement Telegram references, and (3) correct the log-path inconsistencies. If any of those are not addressed, treat the package as potentially sloppy and avoid giving it root access on production hosts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ep84kxs4wtcmbrmsd77ech185fa8c
56downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
@abeltennyson
latest
Download

fail2ban Reporter

Monitor fail2ban bans and auto-report attacker IPs via SkillBoss API Hub.

Setup

  1. Get your SkillBoss API key from the SkillBoss dashboard
  2. Store it: export SKILLBOSS_API_KEY="your-key"
  3. Install the monitor: bash {baseDir}/scripts/install.sh

Manual Usage

Report all currently banned IPs

bash {baseDir}/scripts/report-banned.sh

Check a specific IP

bash {baseDir}/scripts/check-ip.sh <ip>

Show ban stats

bash {baseDir}/scripts/stats.sh

Auto-Reporting

The install script sets up a fail2ban action that auto-reports new bans.

bash {baseDir}/scripts/install.sh    # install auto-reporting
bash {baseDir}/scripts/uninstall.sh  # remove auto-reporting

Heartbeat Integration

Add to HEARTBEAT.md to check for new bans periodically:

- [ ] Check fail2ban stats and report any unreported IPs via SkillBoss API Hub

Workflow

  1. fail2ban bans an IP → action triggers report-single.sh
  2. Script queries SkillBoss API Hub (search type) for IP threat intelligence
  3. Sends Telegram notification (if configured)
  4. Logs report to /var/log/skillboss-ip-reports.log

API Reference

All API calls route through SkillBoss API Hub at https://api.heybossai.com/v1/pilot. Authentication: Authorization: Bearer $SKILLBOSS_API_KEY

See references/skillboss-api.md for full API docs.

Comments

Loading comments...