技能详情(站内镜像,无评论)
作者:Anonymous @adminlove520
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v4.3.0
统计:⭐ 0 · 120 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:adminlove520/search-viewer
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The package is a local GUI OSINT tool that matches its description, but there are coherence and safety concerns (missing/incorrect dependency declarations, incomplete install instructions, and plaintext storage / arbitrary URL fetch behavior) that warrant review before use.
目的
The code implements a desktop GUI aggregator for Fofa/Hunter/Shodan/Quake/Zoomeye (consistent with the description). However the metadata and SKILL.md list only pyside2 and requests while the code imports additional libraries (shodan, mmh3, configobj, jsonpath, configparser, etc.). This mismatch indicates the provided instructions and metadata are incomplete or out-of-sync with the actual code.
说明范围
Runtime instructions tell the user to clone and run the app and to install only pyside2 and requests. The application reads and writes a local config.ini to store API keys (no encryption) and provides UI features that fetch arbitrary URLs (iconhash uses requests.get on user input). Storing API keys in plaintext and fetching arbitrary URLs (which can reach internal resources) are security-sensitive behaviors that the SKILL.md does not adequatel…
安装机制
There is no automated install spec (lower platform install risk), but the SKILL.md's pip install line is incomplete relative to the code's imports. Users following the instructions will likely encounter missing-dependency errors or install the wrong set of packages.
证书
The skill does not request environment variables or external credentials in the metadata (appropriate). It does, however, require users to supply multiple third-party API keys via the GUI which are stored locally in config.ini in plaintext—this is functionally expected but worth noting because those keys grant network access and should be protected.
持久
The skill is not marked always:true and does not request system-wide configuration or other skills' credentials. It runs as a local application and keeps configuration in a local file; it does not appear to claim elevated platform privileges.
Search_Viewer.py:414
Dynamic code execution detected.
resources_rc.py:13
Potential obfuscated payload detected.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Search Viewer」。简介:整合Fofa、Hunter、Shodan等空间测绘平台API,辅助渗透测试信息收集和资产发现的工具。。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/adminlove520/search-viewer/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
# 🕵️ Search Viewer Skill
> 信息收集与空间测绘工具
## 简介
Search Viewer 是一个聚合多个空间测绘平台的信息收集工具,帮助渗透测试人员进行 reconnaissance(侦察)阶段的信息收集。
## 支持平台
| 平台 | 说明 | 用途 |
|------|------|------|
| **Fofa** | 网络空间搜索引擎 | 资产发现 |
| **Hunter** | 鹰图 | 企业资产查询 |
| **Shodan** | 物联网搜索引擎 | 设备发现 |
| **360 Quake** | 360空间测绘 | 资产发现 |
| **Zoomeye** | 钟馗之眼 | 网络空间探测 |
## 安装
### 1. 克隆仓库
```bash
git clone https://github.com/adminlove520/Search_Viewer.git
cd Search_Viewer
```
### 2. 安装依赖
```bash
pip install pyside2 requests
```
### 3. 运行
```bash
python Search_Viewer.py
```
## 使用方法
### 配置 API Key
首次使用需要配置各平台的 API Key:
- Fofa: 需要注册获取 FOFA_TOKEN
- Hunter: 需要积分
- Shodan: 需要 API Key
- 360 Quake: 需要 API Key
- Zoomeye: 需要登录获取 Token
### 搜索语法
#### Fofa 语法
```bash
# 搜索 title="nginx" 的网站
title="nginx"
# 搜索 banner="nginx"
banner="nginx"
# 搜索端口 80 的主机
port=80
# 组合查询
domain="example.com" && port=443
```
#### Shodan 语法
```bash
# 搜索 nginx
nginx
# 搜索特定国家
country:CN
# 搜索特定端口
port:22
# 组合
nginx country:CN
```
#### Hunter 语法
```bash
# 搜索域名
domain="example.com"
# 搜索 ip
ip="1.1.1.1"
```
## 职业应用
### 渗透测试工程师
| 阶段 | 使用平台 | 目的 |
|------|----------|------|
| 信息收集 | Fofa/Zoomeye | 发现目标资产 |
| 子域名枚举 | Hunter/Shodan | 扩大攻击面 |
| 端口扫描 | Quake | 发现开放服务 |
| 指纹识别 | 全平台 | 识别技术栈 |
### 安全研究员
| 用途 | 说明 |
|------|------|
| 漏洞发现 | 通过空间测绘发现暴露资产 |
| 趋势分析 | 分析特定技术的全球分布 |
| 应急响应 | 快速定位受影响资产 |
## 典型查询示例
### 查找目标的资产
```bash
# Fofa: 查找目标域名相关的所有资产
domain="目标域名"
# Hunter: 企业资产查询
company="目标公司"
```
### 查找特定技术
```bash
# Fofa: 查找暴露的数据库
app="mysql" && port=3306
# Shodan: 查找暴露的 Redis
redis untagged
```
### 查找弱口令服务
```bash
# Shodan: 查找 SSH
port:22 has_ssh:true
# Fofa: 查找 FTP
ftp anon=Yes
```
## 注意事项
1. **合规使用**: 只对自己有授权的目标进行测试
2. **API 限制**: 各平台有查询限制,合理使用
3. **隐私保护**: 不要收集和存储敏感个人信息
4. **法律风险**: 遵守当地法律法规
## 相关资源
- 官方仓库: https://github.com/adminlove520/Search_Viewer
- Fofa: https://fofa.info
- Hunter: https://hunter.qianxin.com
- Shodan: https://www.shodan.io
- Zoomeye: https://www.zoomeye.org
## 更新日志
- 2026-03-12: 初始版本