Back to skill
Skillv0.1.0
ClawScan security
Shodan Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 14, 2026, 6:36 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill matches its Shodan-focused description and code, but the package metadata omits the fact that it requires a Shodan API key (and reads a local config file), and the README points to an external GitHub repo of unclear provenance — review before installing and supplying credentials.
- Guidance
- This skill appears to implement a legitimate Shodan wrapper, but review these points before installing: 1) The code requires a Shodan API key (SHODAN_API_KEY or ~/.config/shodan/api_key) but the registry metadata did not declare it — be careful where you store/provide that key. 2) The README points to an external GitHub repo (liuweitao/shodan-skill); verify the repository and author before cloning. 3) On-demand scans and streaming consume Shodan credits and may have legal/ethical implications — only run scans you are authorized to perform. 4) Inspect the included scripts yourself (they are provided) and run the skill in a sandbox or low-privilege account if possible. 5) If you want to allow autonomous agent use, consider restricting or auditing agent actions that trigger scans/streams to prevent unexpected network activity or credential exposure.
Review Dimensions
- Purpose & Capability
- okName, description, required binaries (python3, pip), and included Python script all align with providing Shodan API features (search, host, scan, alerts, stream, DNS, exploits). The use of the official shodan Python library is expected.
- Instruction Scope
- noteSKILL.md and the CLI script keep to Shodan-related operations only (search, scan, stream, alerts, DNS, etc.). The script reads a Shodan API key from SHODAN_API_KEY or ~/.config/shodan/api_key and outputs JSON results; SKILL.md documents shodan init and SHODAN_API_KEY but does not explicitly call out reading the config file.
- Install Mechanism
- okNo opaque install step or remote download is embedded in the registry entry; the skill is instruction-only (with an included script). Dependencies are standard (pip install shodan). README suggests cloning a GitHub repo, but the skill bundle already contains the code.
- Credentials
- concernRegistry metadata lists no required env vars or primary credential, but runtime code requires a Shodan API key (SHODAN_API_KEY env var or ~/.config/shodan/api_key). The metadata omission is an incoherence — the skill will fail without the key and users may not realize they must provide it. Apart from that, no unrelated credentials are requested.
- Persistence & Privilege
- okalways:false and default autonomy are set; the skill does not request persistent system-wide changes or modify other skills. It does perform network actions via Shodan (including scans and streams) which have operational and ethical implications but are coherent with its purpose.