Shodan Reconnaissance and Pentesting

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes commands and code that embed API keys directly (e.g., shodan init YOUR_API_KEY, curl ...?key=YOUR_KEY, API_KEY='YOUR_API_KEY'), which requires the agent to insert secret values verbatim into generated outputs, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill instructs the agent to fetch and parse arbitrary public internet content via Shodan (e.g., shodan search/host, API calls like https://api.shodan.io/..., downloading results.json.gz and reading fields such as http.html and screenshots), which are untrusted/open-web sources and are explicitly read and interpreted as part of the workflow.