ClawHub

shodan-skills

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Shodan lookup skill that uses a Shodan API key and sends requested lookup targets to Shodan, with privacy cautions but no hidden or destructive behavior found.

Install only if you intend to use Shodan for reconnaissance and are comfortable with lookup targets being sent to Shodan. Use a dedicated Shodan API key, avoid sharing logs or screenshots containing full API URLs, and confirm sensitive internal domains, customer names, or investigation targets before querying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares use of an environment variable and makes outbound API requests, but does not declare explicit permissions for those capabilities. This weakens platform-level transparency and control, making it easier for a skill to access secrets and transmit user-derived data without clear user or system mediation.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger conditions are broad enough to activate on many general security, networking, and asset-discovery requests. In context, this can cause the agent to invoke an external reconnaissance capability for ambiguous prompts, potentially sending user-provided targets or search terms to Shodan without sufficiently narrow consent boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation does not warn that IP addresses, domains, and search queries supplied by the user will be transmitted to Shodan, a third-party service. This creates a privacy and data-handling risk, especially when prompts contain sensitive internal assets, customer domains, investigation targets, or confidential search terms.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs users to place the Shodan API key in the URL query string but does not warn that query parameters are commonly exposed in browser history, proxy logs, server logs, analytics, screenshots, and shell history. While this is common in some APIs, documenting it without any credential-handling caution can lead to accidental secret disclosure and unauthorized API use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal