Hardcoded API key

[vincentcox]

I don't know if it's intended, but you disclosed your API key in the code. https://github.com/UltimateHackers/Striker/blob/e79af7f91b6dc5e9bc5f93fa38f352b623dd1d3a/striker.py#L109

People can use this API key on shodan to use your credits.

It's very generous, but it will be abused ultimately.

[vincentcox]

I would revoke the API key in your account.

[s0md3v]

is there anyway to keep this feature without using a hardcoded API key?

[vincentcox]

That will be tricky. If you revoke the key, the script will stop running for all users. I know that shodan support developers of tools like these. Maybe you can ask them to get a free API key, pinned down for only that feature (honeyscore). So it cannot be misused for other tasks. They will probably ask you for a mention on your readme.md file in return. If you get a new key, you can change it here on github, and revoke the other key after a few months making it a smooth transition without breaking it for all users immediately. I asume that the current key is your personal key because if I call the profile API, I get a name in return: https://api.shodan.io/account/profile?key=C23OXE0bVMrul2YeqcL7zxb6jZ4pj2by). I also see that you have 0 credits left, so someone else might already be using your account with the key.

[s0md3v]

Its been 3 days since I sent them a mail and there's still no reply from the Shodan team.

[vincentcox]

If there is an UltimateHackeres twitter handle, I would use that to tweet at them (or send a private message). Strange that they didn't replied yet...

[s0md3v]

They aren't replying so I think I should close this issue now. Thanks for letting me know about this.