fofa-query
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can help identify exposed or vulnerable public assets, which may be sensitive if used outside an authorized engagement.
The skill is explicitly designed for internet asset discovery and includes examples for finding potentially vulnerable software versions. That is purpose-aligned for FOFA security research, but it is dual-use and should be scoped carefully.
能力包含:IP/域名查询、端口扫描结果查询、协议识别、证书分析 ... 用户请求:"查找使用 Apache 2.4.49 的服务器"
Use it only for assets and research scopes you are authorized to investigate, and prefer narrow queries and limited result sizes.
Anyone with access to the configured credential could use your FOFA account or consume your API quota.
The script reads the user's FOFA credential and sends an authorization header to the FOFA API. This is expected for the integration, but it gives the skill access to the user's FOFA account and quota.
api_key = os.getenv(f"FOFA_API_KEY") ... "Authorization": self._build_auth_header()
Store FOFA_API_KEY securely, use a dedicated or revocable key if possible, avoid placing credentials in shared logs or command history, and rotate the key if exposed.
FOFA can receive the domains, IPs, organizations, or vulnerability-related terms you search for.
User search queries and target identifiers are encoded and sent to FOFA's external API. This is necessary and disclosed for FOFA querying, but the queried targets may reveal investigation interests.
API_BASE = "https://fofa.info/api/v1" ... "qbase64": base64.b64encode(query.encode()).decode() ... requests.get(url, params=params, headers=headers, timeout=30)
Do not submit confidential target information unless sharing it with FOFA is acceptable under your policies and FOFA account terms.
It may be harder to verify who maintains the skill or compare it to an upstream project.
The registry metadata does not provide an upstream source or homepage. The included code is small and has no remote installer, so this is a provenance gap rather than evidence of malicious behavior.
Source: unknown Homepage: none
Review the included files before installation and prefer trusted registry entries or a known upstream source when available.