Security audit

Shodan Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Shodan wrapper, but it lets an agent trigger active scans and persistent Shodan account changes without enough safety boundaries.

Install only if you intentionally want your agent to use your Shodan account for security research. Protect the API key, assume queries and targets are sent to Shodan, restrict use to assets you own or are authorized to assess, and require manual approval before scans, alert creation, exploit searches, or realtime streams.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 81% confidence
Finding: The skill advertises executable commands that can read local files and use environment/configured credentials, but it does not declare corresponding permissions. This undermines informed consent and permission gating, making it easier for a user or host system to invoke capabilities they did not clearly approve.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The description frames the skill as search/scan/alerts/DNS, but the documented behavior is broader and includes exploit search, realtime streaming, account/profile queries, metadata enumeration, and notifier/directory functions. This mismatch can mislead reviewers and users about the true operational scope, increasing the chance of unintended sensitive or account-impacting actions.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The manifest omits the exploit-search feature, which is a materially different capability from ordinary host search or DNS lookup. Hiding or understating that functionality reduces transparency and can bypass policy review or user scrutiny for a more sensitive reconnaissance feature.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: Realtime streaming is not disclosed in the manifest even though it can continuously ingest external data and materially change bandwidth, cost, and operational impact. Undisclosed persistent or semi-persistent network activity is riskier than one-off lookups because users may not expect an ongoing data flow.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README prominently promotes network reconnaissance, vulnerability scanning, exploit search, monitoring, and real-time data collection, but provides no warning that these actions must only be performed with authorization and in compliance with law and privacy obligations. In an AI-agent skill context, this omission is more dangerous because it normalizes dual-use offensive workflows and may cause agents or users to initiate intrusive actions without clear consent boundaries.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example prompts directly encourage scanning hosts, monitoring subnets, finding exploits, and streaming live network data, yet they omit any restriction to authorized environments or warning about sensitive data exposure. Because these are ready-to-use prompts for AI agents, they can lower the barrier to misuse and lead to unauthorized reconnaissance or monitoring.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The setup instructs users to configure a Shodan API key but provides no warning about credential sensitivity, storage location, or authentication to a third-party service. In a skill context, this can lead to accidental secret exposure, misuse of paid accounts, or users running authenticated requests without understanding the trust boundary.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill exposes scan and alert-management operations that send external requests and can consume credits or modify account state, yet it lacks explicit warnings and confirmation guidance beyond brief notes. In this context, the danger is elevated because scanning and alert creation are active operations with financial, legal, and operational consequences if run on unintended targets.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The scan command directly invokes Shodan's on-demand scanning API, which triggers an active external operation against user-supplied targets without any confirmation, safety prompt, or policy check. In an agent/skill setting, this increases the risk of accidental or unauthorized scanning of third-party infrastructure, creating legal, compliance, or abuse concerns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal