fail2ban Reporter
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: fail2ban-reporter Version: 1.0.0 This skill is designed to integrate with fail2ban to automatically report banned IPs to AbuseIPDB. It performs high-privilege operations, such as modifying fail2ban configuration files (`/etc/fail2ban/action.d/abuseipdb.conf`, `/etc/fail2ban/jail.local`) and restarting the fail2ban service, as seen in `scripts/install.sh` and `scripts/uninstall.sh`. It also makes external network calls to `api.abuseipdb.com` using `curl` to report and check IPs, as shown in `scripts/report-single.sh` and `scripts/check-ip.sh`. API keys are handled securely via environment variables or `pass`. All actions are clearly aligned with the stated purpose, require explicit user interaction (e.g., `sudo` for installation), and there is no evidence of malicious intent, unauthorized data exfiltration, or harmful prompt injection attempts in `SKILL.md` or `README.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the reporting scripts or enabling auto-reporting will submit banned IP information to AbuseIPDB under the user's API key.
The script submits IP reports to AbuseIPDB using script-provided IP and comment values. This is the stated purpose, but it is still an external reporting action users should understand.
"https://api.abuseipdb.com/api/v2/report" \ -H "Key: $API_KEY" \ --data-urlencode "ip=$IP"
Use it only on intended fail2ban jails, confirm the report categories and comments are appropriate, and review /var/log/abuseipdb-reports.log.
Reports will be made using the user's AbuseIPDB account authority.
The skill reads an AbuseIPDB credential from the environment or local password store. This is expected for the integration, but the registry metadata does not declare a primary credential.
API_KEY="${ABUSEIPDB_KEY:-$(pass show abuseipdb/api-key 2>/dev/null || echo "")}"Use a revocable AbuseIPDB key, store it securely, and monitor AbuseIPDB usage or rate-limit errors.
After installation, new fail2ban bans can trigger automatic AbuseIPDB reports without another manual command.
Installing creates a fail2ban action that persists and automatically runs report-single.sh on future bans. This is clearly aligned with the auto-reporting purpose and an uninstall script is included.
cat > /etc/fail2ban/action.d/abuseipdb.conf << CONF [Definition] actionban = bash $SCRIPT_DIR/report-single.sh <ip> "SSH brute-force on <name> jail (fail2ban auto-report)"
Install only if continuous auto-reporting is desired, and use scripts/uninstall.sh to remove the fail2ban action when no longer needed.
Users may expect Telegram alerts that the provided code does not actually send.
The artifacts advertise Telegram notification, but the provided scripts do not contain Telegram token handling or Telegram API calls. This appears to be an unsupported feature claim rather than hidden behavior.
Auto-report fail2ban banned IPs to AbuseIPDB and notify via Telegram... Sends Telegram notification (if configured)
Do not rely on Telegram notifications unless a reviewed Telegram implementation is added and configured.