fail2ban Reporter
v1.0.0Auto-report fail2ban banned IPs to AbuseIPDB and notify via Telegram. Use when monitoring server security, reporting attackers, or checking banned IPs. Watches fail2ban for new bans, reports them to AbuseIPDB, and sends alerts.
⭐ 1· 2.5k·3 current·4 all-time
byjester@jestersimpps
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's declared registry metadata lists no required environment variables or binaries, but the scripts and SKILL.md clearly require an AbuseIPDB API key (ABUSEIPDB_KEY or pass entry), and system tools like fail2ban, jq, and curl. The README and SKILL.md advertise Telegram notifications but there is no code implementing Telegram integration. The requested filesystem and systemd changes (editing /etc/fail2ban/* and restarting fail2ban) are appropriate for the stated purpose, but the metadata omission and unimplemented Telegram feature are incoherent with the skill description.
Instruction Scope
Runtime instructions and scripts stay within the stated purpose: they read fail2ban state, report IPs to AbuseIPDB, and log results to /var/log/abuseipdb-reports.log. The install/uninstall scripts modify /etc/fail2ban/action.d and /etc/fail2ban/jail.local and restart fail2ban (requires root). Scripts read the AbuseIPDB key either from environment or via pass. There is no evidence of other data collection or exfiltration beyond reporting to AbuseIPDB, but the install modifies system configuration and requires sudo — users should review the exact sed edits before running.
Install Mechanism
There is no remote install step; this is an instruction-and-script package included in the skill. That lowers supply-chain risk. The install script writes files under /etc/fail2ban and restarts fail2ban, which is expected for the functionality. No downloads from untrusted URLs are performed.
Credentials
The skill requires an AbuseIPDB API key (checked at runtime via ABUSEIPDB_KEY or pass show abuseipdb/api-key), plus system-level sudo to edit fail2ban config, but the manifest declares no required env vars or credentials. The use of pass to read a specific entry is reasonable, but the metadata should have declared the primary credential. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true and is user-invocable. The installer requires root and modifies system fail2ban configs and restarts the service — this is necessary for auto-reporting, but it's a high-privilege operation. Users should expect and approve these changes before installing. The skill does not appear to change other skills or agent-wide configs.
What to consider before installing
Before installing: (1) Review the scripts (install.sh, report-*.sh, uninstall.sh) yourself — they will write /etc/fail2ban/action.d/abuseipdb.conf, edit /etc/fail2ban/jail.local, and restart fail2ban (requires sudo). (2) Ensure you actually want automatic external reporting to AbuseIPDB — reports are sent to a third party and could affect how IPs are treated. (3) Provide an AbuseIPDB API key via ABUSEIPDB_KEY or store it at pass show abuseipdb/api-key; the skill metadata does not declare this requirement so it will fail silently if missing. (4) Backup /etc/fail2ban/jail.local before running install.sh because the script edits it with sed. (5) Note: Telegram notifications are advertised but no Telegram code or env vars are present — if you need alerts via Telegram, you'll have to add that yourself. (6) If you are uncomfortable with a script running as root and modifying system service config, run the reporting scripts manually (report-banned.sh / report-single.sh) instead of running install.sh.Like a lobster shell, security has layers — review code before you run it.
latestvk976h0z6wq96jezdn748kcbyvh800nqs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.