Description

Command-line tool for searching global network assets using ZoomEye AI, supporting advanced queries for asset discovery, CVE, and Bug Bounty research.

README (SKILL.md)

ZoomEye AI — Cyberspace Search

Name: zoomeye-ai-search
Author: jjbondone

Search global network assets via the zoomeyeai CLI at https://www.zoomeye.ai.

Key features: Supports vul.cve, is_bugbounty, bugbounty.source, is_changed, is_new fields.

When to Use

Triggers (MUST load this skill)

Searching global/overseas network assets
Building dork queries for ZoomEye international
Searching assets affected by a CVE
Bug Bounty asset discovery and filtering
Searching for assets added or changed in the last 7 days
User mentions "zoomeyeai", "zoomeye.ai", "ZoomEye AI", "ZoomEye international"

Skip

Purely theoretical discussion, no execution needed
User asks about Shodan, Censys, or other search engines

Syntax-only mode

If the user only wants natural language → dork conversion ("how do I search for...", "write me the syntax for..."), skip environment checks and execution. Go directly to Workflow → Step 1 and output the dork.

Prerequisites

Step 1: Check Environment

Always verify the environment before executing any search:

# Check if installed
which zoomeyeai && zoomeyeai --version

# Check if token is configured
zoomeyeai info

Step 2: Guide the User Based on Results

If zoomeyeai is not installed:

pip3 install zoomeyeai

If zoomeyeai info returns an auth error (token not configured):

Tell the user they need a ZoomEye AI API-KEY:
To use ZoomEye international search, you need an API-KEY:
1. Go to https://www.zoomeye.ai/profile and log in
2. Find your API-KEY in your profile
3. Send me the key and I'll initialize it for you
Once the user provides the key:
```
zoomeyeai init -apikey "\x3CAPIKEY>"
```
Verify:
```
zoomeyeai info
```
Confirm the response shows user info and quota, then proceed.

If zoomeyeai info returns normally:

Environment is ready. Proceed to workflow.

CLI Commands

zoomeyeai -h                        # Help
zoomeyeai --version                 # Version
zoomeyeai init -apikey "\x3CKEY>"      # Initialize token
zoomeyeai info                      # Account info & quota
zoomeyeai search "\x3Cdork>" [options] # Core search command

Note: No clear command.

Search Options

Option	Description
`-page \x3Cn>`	Page number, default 1, sorted by update time
`-pagesize \x3Cn>`	Results per page, default 10, max 10000
`-sub_type {v4,v6,web,all}`	Data type. `v4`=IPv4 devices (default), `v6`=IPv6, `web`=websites/domains, `all`=everything
`-facets \x3Citems>`	Aggregate stats, comma-separated. Supports: `product`, `device`, `service`, `os`, `port`, `country`, `subdivisions`, `city`
`-fields \x3Cfields>`	Return fields, comma-separated. Default: `ip,port,domain,update_time`
`-figure {pie,hist}`	Data visualization. Requires `-facets`

Error Handling

Error	Cause	Action
Auth failure / `login required`	Token not configured	Run `zoomeyeai init -apikey "\x3CAPIKEY>"`
`rate limit exceeded` / empty results	Quota exhausted or rate limited	Wait and retry, or check quota → `zoomeyeai info`
Command timeout	Network issue or slow API	Retry once; if still failing, tell user to check network

Search Syntax

Basic Rules

Search is case-insensitive (except == exact match)
Search strings are word-segmented for matching
Wrap string values in quotes: "Cisco System" or 'Cisco System'
Escape internal quotes with \: "a\"b"
Escape parentheses with \: portinfo\(\)

Logical Operators

Operator	Meaning	Example
`=`	Fuzzy match (contains keyword)	`title="knownsec"`
`==`	Exact match (case-sensitive, can search empty values)	`title=="knownsec"`
`\|\|`	OR	`service="ssh" \|\| service="http"`
`&&`	AND	`device="router" && after="2020-01-01"`
`!=`	NOT	`country="US" && subdivisions!="new york"`
`()`	Grouping / precedence	`(country="US" && port!=80) \|\| (country="US" && title!="404 Not Found")`
`*`	Wildcard / fuzzy	`title="google*"`

Search Field Reference

Device & Service Fingerprints

Field	Description	Common Values
`app`	Application/product fingerprint	`"Cisco ASA SSL VPN"`, `"GitLab"`, `"phpMyAdmin"`
`service`	Service protocol	`"ssh"`, `"http"`, `"ftp"`, `"telnet"`, `"mysql"`, `"redis"`, `"rdp"`, `"smb"`
`device`	Device type	`"router"`, `"switch"`, `"storage-misc"`, `"firewall"`, `"webcam"`
`os`	Operating system	`"RouterOS"`, `"Linux"`, `"Windows"`, `"IOS"`, `"JUNOS"`
`title`	HTML title	`"admin"`, `"login"`, `"Cisco"`
`industry`	Industry type	`"government"`, `"technology"`, `"energy"`, `"finance"`, `"manufacturing"`
`product`	Component/product name	`"Cisco"`, `"Apache"`, `"Nginx"`
`protocol`	Transport protocol	`"TCP"`, `"UDP"`, `"TCP6"`, `"SCTP"`
`is_honeypot`	Honeypot filter	`"True"` / `"False"`

IP, Domain & Organization

Field	Description	Example
`ip`	IP address (v4/v6)	`ip="8.8.8.8"`, `ip="2600:3c00::f03c:91ff:fefc:574a"`
`cidr`	CIDR range	`cidr="52.2.254.36/24"` (/24=C, /16=B, /8=A)
`org`	Organization name	`org="Stanford University"`
`isp`	ISP name	`isp="China Mobile"`
`asn`	AS number	`asn=42893`
`port`	Port number	`port=80` (single port only)
`hostname`	Hostname	`hostname="google.com"`
`domain`	Domain/subdomain	`domain="baidu.com"`

Geolocation (English)

Field	Description	Example
`country`	Country (abbreviation or full name)	`"US"`, `"United States"`, `"JP"`
`subdivisions`	State/province (English)	`"california"`, `"new york"`, `"tokyo"`
`city`	City (English)	`"san francisco"`, `"london"`

SSL/TLS Certificates

Field	Description	Example
`ssl`	Certificate content contains (use for product/company search)	`ssl="google"`
`ssl.cert.fingerprint`	SHA1 fingerprint	`ssl.cert.fingerprint="F3C98F223D82CC41CF83D94671CCC6C69873FABF"`
`ssl.chain_count`	Cert chain count	`ssl.chain_count=3`
`ssl.cert.alg`	Signature algorithm	`ssl.cert.alg="SHA256-RSA"`
`ssl.cert.issuer.cn`	Issuer CN	`ssl.cert.issuer.cn="pbx.wildix.com"`
`ssl.cert.subject.cn`	Subject CN	`ssl.cert.subject.cn="example.com"`
`ssl.cert.pubkey.rsa.bits`	RSA public key bits	`ssl.cert.pubkey.rsa.bits=2048`
`ssl.cert.pubkey.ecdsa.bits`	ECDSA public key bits	`ssl.cert.pubkey.ecdsa.bits=256`
`ssl.cert.pubkey.type`	Public key type	`ssl.cert.pubkey.type="RSA"`
`ssl.cert.serial`	Certificate serial	`ssl.cert.serial="18460192207935675900910674501"`
`ssl.cipher.bits`	Cipher bits	`ssl.cipher.bits="128"`
`ssl.cipher.name`	Cipher suite name	`ssl.cipher.name="TLS_AES_128_GCM_SHA256"`
`ssl.cipher.version`	Cipher suite version	`ssl.cipher.version="TLSv1.3"`
`ssl.version`	SSL/TLS version	`ssl.version="TLSv1.3"`
`ssl.jarm`	JARM fingerprint	`ssl.jarm="29d29d15d29d29d00029d29d29d29dea0f89a2e5fb09e4d8e099befed92cfa"`
`ssl.ja3s`	JA3S fingerprint	`ssl.ja3s=45094d08156d110d8ee97b204143db14`

HTTP Headers & Body

Field	Description	Example
`http.header`	HTTP response headers contain	`http.header="http"`
`http.header_hash`	Response header MD5	`http.header_hash="27f9973fe57298c3b63919259877a84d"`
`http.header.server`	Server header value	`http.header.server="Nginx"`
`http.header.version`	Server version	`http.header.version="1.2"`
`http.header.status_code`	HTTP status code	`"200"`, `"302"`, `"404"`, `"500"`
`http.body`	HTML body contains	`http.body="document"`
`http.body_hash`	HTML body MD5	`http.body_hash="84a18166fde3ee7e7c974b8d1e7e21b4"`

Protocol Banners, Hashes & Time

Field	Description	Example
`banner`	Non-HTTP protocol banner	`banner="FTP"`
`iconhash`	Favicon hash (MD5 or mmh3)	`iconhash="f3418a443e7d841097c714d69ec4bcb8"`, `iconhash="1941681276"`
`filehash`	Uploaded file hash	`filehash="0b5ce08db7fb8fffe4e14d05588d49d9"`
`dig`	DNS dig result	`dig="baidu.com 220.181.38.148"`
`after`	Updated after	`after="2020-01-01"` (must combine with other filters)
`before`	Updated before	`before="2020-01-01"` (must combine with other filters)

Additional Fields

The following fields are available:

Field	Description	Example
`vul.cve`	Search by CVE ID	`vul.cve="CVE-2021-44228"`
`is_bugbounty`	Bug Bounty program assets	`is_bugbounty=true`
`bugbounty.source`	Bug Bounty data source	`bugbounty.source="hackerone"`, `"bugcrowd"`, `"intigriti"`, `"yeswehack"`, `"openbugbounty"`, `"all"`
`is_changed`	Asset changed within 7 days (new + updated)	`is_changed=true`
`is_new`	Newly discovered within 7 days	`is_new=true`

Workflow (AI Decision Tree)

Once the environment is verified, follow these steps:

1. Natural Language → Dork Conversion

Geolocation Keywords

User says	Field	Conversion
"US", "United States", "America"	`country`	`country="US"`
"Japan", "JP"	`country`	`country="JP"`
"Germany", "DE"	`country`	`country="DE"`
"California", "CA"	`subdivisions`	`subdivisions="california"`
"New York", "NY"	`city` or `subdivisions`	`city="new york"`
Any English city/state name	`city` / `subdivisions`	`city="london"`

Port/Service Keywords

User says	Field	Conversion
"port XX", "open port XX"	`port`	`port=80`
"SSH", "SSH service"	`service`	`service="ssh"`
"HTTP", "web", "website"	`service`	`service="http"`
"database", "MySQL", "Redis", "MongoDB"	`service`	`service="mysql"`
"RDP", "remote desktop"	`service` or `port`	`service="rdp"`

Device/OS Keywords

User says	Field	Conversion
"router"	`device`	`device="router"`
"switch"	`device`	`device="switch"`
"webcam", "camera"	`device`	`device="webcam"`
"Linux", "Linux server"	`os`	`os="Linux"`
"Windows", "Windows server"	`os`	`os="Windows"`
"Cisco"	`app`	`app="Cisco"`

Additional Keywords

User says	Field	Conversion
"CVE-2021-44228", "Log4j vulnerability", "impact of CVE"	`vul.cve`	`vul.cve="CVE-2021-44228"`
"Bug Bounty assets", "bounty program"	`is_bugbounty`	`is_bugbounty=true`
"HackerOne assets", "Bugcrowd's"	`bugbounty.source`	`bugbounty.source="hackerone"`
"new in last 7 days", "recently discovered", "new assets"	`is_new`	`is_new=true`
"changed in last 7 days", "recently updated"	`is_changed`	`is_changed=true`
"all Bug Bounty sources"	`bugbounty.source`	`bugbounty.source="all"`

Conversion Examples

Natural Language	Dork
"SSH services in the US"	`country="US" && service="ssh"`
"Log4j vulnerability affected assets globally"	`vul.cve="CVE-2021-44228"`
"Nginx servers on HackerOne"	`bugbounty.source="hackerone" && http.header.server="Nginx"`
"Redis services discovered in the last 7 days"	`service="redis" && is_new=true`
"Routers in Japan, exclude honeypots"	`country="JP" && device="router" && is_honeypot!="True"`
"Changed GitLab assets in Bug Bounty"	`is_bugbounty=true && is_changed=true && app="GitLab"`
"Windows RDP in Germany"	`country="DE" && service="rdp" && os="Windows"`
"Assets with port 3389 open, recently changed"	`port=3389 && is_changed=true`
"Admin panels in California"	`(title="admin" \|\| title="login") && subdivisions="california"`
"Let's Encrypt certs on US assets"	`ssl.cert.issuer.cn="Let's Encrypt" && country="US"`

2. Build the Dork

Combine fields with operators:

Narrow down → &&: country="US" && service="redis" && os="Linux"
Broaden → ||: port=80 || port=443 || port=8080
Exclude → !=: country="US" && subdivisions!="california"
Complex logic → (): (country="US" && port!=80) || (country="JP" && title!="404 Not Found")

3. Choose sub_type

Scenario	sub_type
IoT, servers, cameras, ICS, IPv4 assets	`v4` (default)
IPv6 assets	`v6`
Websites, web apps, domains	`web`
Unsure, need everything	`all`

4. Execution Strategy (Quota Optimization)

Follow "probe → verify → export":

# Step 1: Small probe to confirm dork syntax and results
zoomeyeai search "\x3Cdork>" -pagesize 10

# Step 2: Check data distribution with facets (pagesize=1 saves quota)
zoomeyeai search "\x3Cdork>" -facets country,service,os -pagesize 1

# Step 3: Bulk retrieval
zoomeyeai search "\x3Cdork>" -pagesize 1000

5. Shell Quoting Rules

Scenario	Outer Quote	Example
Dork with `field="value"` only, no single quotes	Single quotes	`zoomeyeai search 'country="US" && service="ssh"'`
Dork contains single quote character	Double quotes	`zoomeyeai search "title='Cisco System'"`
Dork contains `&&`, `\|\|` shell special chars	Single quotes (safest)	`zoomeyeai search 'service="ssh" \|\| service="http"'`

Key rule: prefer single quotes as the outer wrapper. Only switch to double quotes when the dork itself contains single quote characters.

Common Search Scenarios

CVE Vulnerability Impact Assessment

# Global distribution of a CVE
zoomeyeai search 'vul.cve="CVE-2021-44228"' -facets country -pagesize 1

# CVE + specific product version
zoomeyeai search 'vul.cve="CVE-2021-44228" && app="Log4j"' -pagesize 100

Bug Bounty Asset Discovery

# Bug Bounty assets from a specific platform
zoomeyeai search 'is_bugbounty=true && bugbounty.source="hackerone"' -pagesize 10

# Specific product in Bug Bounty
zoomeyeai search 'is_bugbounty=true && app="GitLab"' -pagesize 10

# HTTP services across all Bug Bounty platforms
zoomeyeai search 'is_bugbounty=true && bugbounty.source="all" && service="http"' -pagesize 10

New & Changed Asset Monitoring

# SSH services discovered in last 7 days
zoomeyeai search 'service="ssh" && is_new=true' -pagesize 10

# Web assets changed in last 7 days
zoomeyeai search 'service="http" && is_changed=true' -facets country -pagesize 1

# Newly discovered assets affected by a CVE
zoomeyeai search 'vul.cve="CVE-2024-1234" && is_new=true' -pagesize 100

Global Exposure Discovery

# Exposed database services in a country
zoomeyeai search 'country="US" && (service="redis" || service="mysql" || service="mongodb")' -pagesize 10

# Assets of an organization
zoomeyeai search 'org="Stanford University"' -pagesize 100

# Global RDP services, excluding honeypots
zoomeyeai search 'service="rdp" && is_honeypot!="True"' -pagesize 10

Web Application Identification

# Web servers by Server header
zoomeyeai search 'http.header.server="nginx" && country="US"' -sub_type web -pagesize 10

# Admin panels by title
zoomeyeai search '(title="admin" || title="login") && country="JP"' -sub_type web -pagesize 10

# Specific apps by body content
zoomeyeai search 'http.body="phpMyAdmin"' -sub_type web -pagesize 10

SSL Certificate & Fingerprint

# Assets linked to a company's certificate
zoomeyeai search 'ssl="google"' -pagesize 10

# Let's Encrypt issued certificates
zoomeyeai search "ssl.cert.issuer.cn=\"Let's Encrypt\" && country=\"US\"" -pagesize 10

# JARM fingerprint search
zoomeyeai search 'ssl.jarm="29d29d15d29d29d00029d29d29d29dea0f89a2e5fb09e4d8e099befed92cfa"' -pagesize 10

Subnet & IP Scanning

zoomeyeai search 'cidr="52.2.254.36/24"' -pagesize 100
zoomeyeai search 'cidr="52.2.254.36/16" && service="http"' -pagesize 100

SDK Usage

from zoomeyeai.sdk import ZoomEye

zm = ZoomEye(api_key="your-api-key")

# Account info & quota
zm.userinfo()
# Returns: {"email": "", "username": "", "quota": {"plan": "", "end_date": "", "points": "", "zoomeye_points": ""}}

# Search
result = zm.search(
    dork='country=us',
    qbase64='',                  # Base64-encoded query (alternative to dork)
    page=1,
    pagesize=20,                 # SDK default is 20
    sub_type='all',              # v4 / v6 / web / all
    fields='ip,port,domain,os,app,title',
    facets='country,service'
)

Notes

Item	Detail
Quota	Each search consumes quota. Use `-pagesize 1` + `-facets` first, then bulk retrieve
Geolocation	Use English names, e.g. `country="United States"` or `country="US"`
`-save`	Not available. Export data manually or use SDK
`before`/`after`	Cannot be used alone; must combine with other filters
Shell quoting	Always wrap the dork in quotes. Prefer single quotes

Usage Guidance

Do not treat this as a completed security review. Re-run the scan when metadata.json and artifact files can be inspected, then review any requested credentials, install steps, persistence, and data access before installing.

Capability Tags

requires-sensitive-credentials

Capability Assessment

ℹ Purpose & Capability

Not assessable from available artifact text; no SKILL.md or metadata contents could be read.

ℹ Instruction Scope

Not assessable from available artifact text; no runtime instructions could be inspected.

ℹ Install Mechanism

Not assessable from available artifact text; install specs and manifest contents could not be read.

ℹ Credentials

Not assessable from available artifact text; no file, network, credential, or command requirements could be verified.

ℹ Persistence & Privilege

Not assessable from available artifact text; no persistence or privilege behavior could be verified.

Version History

v1.0.0

Initial release of zoomeye-ai-search. - Introduces CLI for ZoomEye AI cyberspace search, supporting global network asset discovery. - Provides extensive documentation for search syntax, fields, workflows, error handling, and prerequisites. - Supports dork query building, asset search by CVE, bug bounty discovery, and filtering by update or addition time. - Includes key search options (pagination, data types, result fields, facets, and visualization). - Walks users through environment setup, authentication, and troubleshooting steps.

Metadata

Slug zoomeye-ai-search

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is zoomeye-ai-search?

Command-line tool for searching global network assets using ZoomEye AI, supporting advanced queries for asset discovery, CVE, and Bug Bounty research. It is an AI Agent Skill for Claude Code / OpenClaw, with 98 downloads so far.

How do I install zoomeye-ai-search?

Run "/install zoomeye-ai-search" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is zoomeye-ai-search free?

Yes, zoomeye-ai-search is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does zoomeye-ai-search support?

zoomeye-ai-search is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created zoomeye-ai-search?

It is built and maintained by JJBondOne (@jjbondone); the current version is v1.0.0.

More Skills

zoomeye-ai-search