fail2ban Reporter
PassAudited by ClawScan on May 1, 2026.
Overview
The skill largely does what it says—reports fail2ban-banned IPs to AbuseIPDB—but enabling auto-reporting gives it persistent, privileged reporting behavior that users should review first.
Review the scripts before running the privileged installer, confirm you want automatic AbuseIPDB reporting for fail2ban bans, store the API key securely, and do not assume Telegram alerts work from these artifacts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the reporting scripts or enabling auto-reporting will submit banned IP information to AbuseIPDB under the user's API key.
The script submits IP reports to AbuseIPDB using script-provided IP and comment values. This is the stated purpose, but it is still an external reporting action users should understand.
"https://api.abuseipdb.com/api/v2/report" \ -H "Key: $API_KEY" \ --data-urlencode "ip=$IP"
Use it only on intended fail2ban jails, confirm the report categories and comments are appropriate, and review /var/log/abuseipdb-reports.log.
Reports will be made using the user's AbuseIPDB account authority.
The skill reads an AbuseIPDB credential from the environment or local password store. This is expected for the integration, but the registry metadata does not declare a primary credential.
API_KEY="${ABUSEIPDB_KEY:-$(pass show abuseipdb/api-key 2>/dev/null || echo "")}"Use a revocable AbuseIPDB key, store it securely, and monitor AbuseIPDB usage or rate-limit errors.
After installation, new fail2ban bans can trigger automatic AbuseIPDB reports without another manual command.
Installing creates a fail2ban action that persists and automatically runs report-single.sh on future bans. This is clearly aligned with the auto-reporting purpose and an uninstall script is included.
cat > /etc/fail2ban/action.d/abuseipdb.conf << CONF [Definition] actionban = bash $SCRIPT_DIR/report-single.sh <ip> "SSH brute-force on <name> jail (fail2ban auto-report)"
Install only if continuous auto-reporting is desired, and use scripts/uninstall.sh to remove the fail2ban action when no longer needed.
Users may expect Telegram alerts that the provided code does not actually send.
The artifacts advertise Telegram notification, but the provided scripts do not contain Telegram token handling or Telegram API calls. This appears to be an unsupported feature claim rather than hidden behavior.
Auto-report fail2ban banned IPs to AbuseIPDB and notify via Telegram... Sends Telegram notification (if configured)
Do not rely on Telegram notifications unless a reviewed Telegram implementation is added and configured.