shodan

SUSPICIOUS: the skill's stated purpose matches Shodan-style reconnaissance, but the implementation path is not aligned with Shodan's official CLI. It routes usage and likely API-key handling through x-cmd, a third-party wrapper installed via remote bootstrap, creating unnecessary supply-chain and credential-forwarding risk. No confirmed malicious exfiltration is shown, but the trust boundary is broader than the skill claims and the offensive recon scope makes this a high-risk AI agent capability.