← 返回 Skills 市场
103
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install space-query-skill
功能描述
Build search queries for network asset discovery platforms (space测绘). Use when users want to find network assets, discover attack surfaces, investigate vulne...
使用说明 (SKILL.md)
Space Query Skill
Multi-platform query builder for FOFA, Quake, ZoomEye, and Shodan.
Quick Start
- Detect platform — Use specified platform or ask user
- Analyze intent — What to find, where, attributes, exclusions
- Build query — Apply correct syntax for the platform
- Present result — Use the output format below
Platform Selection
| Platform | Best For | Syntax Style |
|---|---|---|
| FOFA | Global coverage, protocol details | field="value" |
| Quake (鹰图) | China data, threat intel | field:value |
| ZoomEye | Service fingerprints | field:value |
| Shodan | IoT,漏洞关联 | field:value |
Core Patterns
Pattern 1: Exposed Service
FOFA: product="Redis" && port="6379" && country="CN"
Quake: app:Redis AND port:6379 AND country:China
Shodan: product:Redis port:6379 country:CN
Pattern 2: Login Page
FOFA: (title="登录" || title="admin" || title="后台") && country="CN"
Quake: (keyword:登录 OR keyword:admin) AND country:China
Shodan: title:"login" country:CN
Pattern 3: File Upload
FOFA: (body="plupload" || body="webuploader" || title="上传") && country="CN"
Shodan: http.html:"type=\"file\"" country:CN
Pattern 4: SSL Certificate Issue
FOFA: cert.is_expired=true && country="CN"
Shodan: ssl.cert.expired:true country:CN
Pattern 5: CVE/Vulnerability Search
Critical: Always extract features from CVE info and use platform-specific product identifiers.
CVE Query Workflow
┌─────────────────────────────────────────────────────────────┐
│ Step 1: WebSearch for official queries │
│ Search: "[Platform] CVE-XXXX-XXXX" or "[CVE] + FOFA" │
└─────────────────────────┬───────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────┐
│ Step 2: Find official source │
│ - Platform blog (en.fofa.info, quake.360.net/blog) │
│ - Security sites (securityonline.info, nvd.nist.gov) │
│ - GitHub PoC repos often contain platform queries │
└─────────────────────────┬───────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────┐
│ Step 3: Extract platform-specific product ID │
│ - FOFA uses app="product-name" │
│ - Quake uses app:product-name │
│ - Shodan uses product:product-name │
└─────────────────────────┬───────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────┐
│ Step 4: Build query │
└─────────────────────────────────────────────────────────────┘
How to Find Official Sources
When given a CVE, ALWAYS use WebSearch first:
# Search for platform-specific queries
web_search: "CVE-2024-38819 FOFA query"
web_search: "CVE-2024-38819 fofa.info"
web_search: "CVE-2024-38819 Quake 360"
web_search: "CVE-2024-38819 PoC github"
# Search for official platform announcements
web_search: "site:en.fofa.info CVE-2024-38819"
web_search: "site:quake.360.net CVE"
Official Sources to Check:
| Source | URL | What to Find |
|---|---|---|
| FOFA Blog | en.fofa.info | Official queries with exact app IDs |
| Quake Blog | quake.360.net/blog | Threat intel announcements |
| NVD | nvd.nist.gov | CVE details, affected products |
| SecurityOnline | securityonline.info | PoC with platform queries |
| GitHub | github.com | PoC exploits often include FOFA/Quake queries |
Example - CVE-2024-38819
Step 1: WebSearch
Search: "CVE-2024-38819 FOFA"
Result: en.fofa.info shows "app="vmware-Spring-Framework""
Step 2: Official Query Found
FOFA: app="vmware-Spring-Framework" (25k+ results)
Step 3: Cross-platform translation
FOFA: app="vmware-Spring-Framework"
Shodan: product:"Spring Framework"
Quake: app:Spring
ZoomEye: app:spring
Wrong vs Correct Approach
Wrong (lazy):
body="CVE-2024-38819" ❌ CVE ID in body, no results
product="Spring" ❌ Wrong product ID for most platforms
Correct (official product ID):
app="vmware-Spring-Framework" ✅ FOFA official query
Verified CVE Query Table
| CVE | Affects | FOFA | Shodan | Quake |
|---|---|---|---|---|
| CVE-2024-38819 | Spring Framework | app="vmware-Spring-Framework" |
product:"Spring Framework" |
app:Spring |
| CVE-2021-44228 | Apache Log4j | app="Apache-log4j2" |
product:log4j |
app:log4j |
| CVE-2019-0708 | Windows RDP | app="Microsoft-RDP" |
vuln:CVE-2019-0708 |
app:RDP |
| CVE-2022-22965 | Spring4Shell | app="vmware-Spring-Framework" |
product:Spring |
app:Spring |
Rule: When you find an official query from a trusted source (platform blog, security site, verified PoC), use that exact query.
Operator Precedence
() > == > = > != > && > ||
Rule: Always wrap multiple OR conditions with ().
Output Format
Present queries using this structure:
## Query
**Platform:** [Platform]
[Query Here]
### Explanation
- **Target:** What this finds
- **Fields:** Main fields used
- **Logic:** AND/OR relationship
### Suggestions
- Additional filters to consider
- Known limitations
- Alternative approaches
Field Reference
See resources/fields.md for complete field lists per platform.
Important Notes
- Parentheses —
(A || B) && CnotA || B && C - Platform syntax differs — FOFA uses
="while others use: - Chinese chars —
country="中国"works in FOFA, prefer English elsewhere - Time filtering —
after/beforein FOFA/Quake
Troubleshooting
| Issue | Solution |
|---|---|
| No results | Add status_code="200" or remove strict filters |
| Too many results | Add country, time, or product filters |
| Wrong syntax | Check platform in reference files |
安全使用建议
This skill is internally consistent: it provides templates and translation rules for building queries on FOFA, Quake, ZoomEye, and Shodan and does not request credentials or install code. Before installing, consider: 1) The skill recommends web searches and GitHub PoCs — those sources can include exploit code or detailed instructions for attacking systems. Ensure you (and your organization) have legal authorization before using the queries against any target. 2) Because the agent may fetch external pages, confirm you want the agent to have web access and be comfortable with it retrieving third-party content. 3) Review any generated queries before running them on these platforms to avoid unintended scanning or policy violations. 4) If you need provenance, prefer skills with a verifiable upstream repository and maintainer rather than an unknown source.
功能分析
Type: OpenClaw Skill
Name: space-query-skill
Version: 1.0.0
The space-query-skill is a utility designed to help users construct search queries for network asset discovery platforms such as FOFA, Shodan, Quake, and ZoomEye. The bundle consists of documentation (SKILL.md, README.md, fields.md) and metadata that guide an AI agent in translating user requests into platform-specific syntax for identifying exposed services, login pages, and vulnerabilities (CVEs). There is no evidence of malicious code, data exfiltration, or unauthorized execution; the skill functions as a legitimate tool for security reconnaissance and asset management.
能力评估
Purpose & Capability
Name/description match the SKILL.md and resource files: the repository contains templates, field mappings, and CVE query guidance for FOFA, Quake, ZoomEye, and Shodan. No unexpected binaries, env vars, or installs are requested, which is proportionate for an instruction-only query builder.
Instruction Scope
Instructions remain within the stated purpose (build and translate queries). The runtime guidance explicitly directs the agent to perform web searches (platform blogs, NVD, GitHub PoCs) to extract official product identifiers. That behavior is coherent for accurate CVE-to-query translation but can surface PoC/exploit content—agents may retrieve or summarize external exploit information if given permission to web-search and fetch content.
Install Mechanism
No install spec and no code files that run on install. Being instruction-only means nothing is downloaded or written to disk by the skill itself, which is the lowest-risk install model.
Credentials
The skill declares no required environment variables, credentials, or config paths. The guidance does reference external platform docs and APIs but does not require the user's platform credentials—environment/credential requests are proportionate (none).
Persistence & Privilege
always:false and default autonomous invocation are set. The skill does not request permanent/always-on presence nor does it attempt to modify other skills or system-wide settings. Autonomous invocation is the platform default and not, on its own, concerning.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install space-query-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/space-query-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial public release of space-query-skill.
- Builds search queries for major network asset discovery platforms: FOFA, Quake, ZoomEye, and Shodan.
- Supports asset, service, vulnerability (CVE), and attack surface search use-cases.
- Provides official query patterns, platform syntax guides, and practical usage examples.
- Includes workflow for verified CVE query building and cross-platform translation.
- Defines standardized, easy-to-follow output and explanation format.
元数据
常见问题
Space Query Skill 是什么?
Build search queries for network asset discovery platforms (space测绘). Use when users want to find network assets, discover attack surfaces, investigate vulne... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 103 次。
如何安装 Space Query Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install space-query-skill」即可一键安装,无需额外配置。
Space Query Skill 是免费的吗?
是的,Space Query Skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Space Query Skill 支持哪些平台?
Space Query Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Space Query Skill?
由 gandli(@gandli)开发并维护,当前版本 v1.0.0。
推荐 Skills