shodan-mcp
shodan-mcp is an MCP (Model Context Protocol) server that exposes Shodan capabilities as 20 callable tools for AI agents. It supports passive reconnaissance and vulnerability intelligence (CVE/CPE) and provides 4 tools that work without a Shodan API key.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Security controls are described at a high level: input validation, injection prevention (blocking forbidden characters), no shell execution (httpx), and API key protection (keys not exposed in error messages/logs). TLS enforcement and dependency vulnerability posture are not verifiable from the provided text; scope granularity is not described (likely all-access for the API key).
⚡ Reliability
Best When
You need IDE/agent-integrated passive intelligence from Shodan (especially CVE/CPE and pre-indexed device search) with validated inputs and structured outputs.
Avoid When
You cannot obtain/secure appropriate Shodan API credentials, or you lack authorization/compliance for OSINT research on targets.
Use Cases
- • Passive OSINT for internet-facing services and exposed devices
- • CVE/CPE lookup and CVE search enriched with vulnerability-related metadata
- • DNS resolution and reverse DNS for observed hosts/domains
- • Device search using Shodan query language for reconnaissance workflows
- • Honeypot likelihood scoring to prioritize targets for further investigation
Not For
- • Automated targeting or exploitation of systems (the tool is passive but can facilitate recon that could be misused)
- • Scanning networks you do not have authorization to investigate
- • Replacing a full vulnerability management workflow (this is research/intelligence)
Interface
Authentication
README indicates authorization is required for the majority of tools; 4 tools work without an API key. No OAuth or fine-grained scopes are described.
Pricing
Pricing depends on Shodan API plan/credits; specific plan costs and rate/credit units are not provided in the package docs.
Agent Metadata
Known Gotchas
- ⚠ Some tools require a Shodan API key; agents should handle failures when a key is missing.
- ⚠ API-credit consumption may occur for key-required tools (search/recon), even though operations are passive.
- ⚠ Results depend on Shodan’s indexing freshness; CVE/CPE mappings may be incomplete for newly disclosed products.
- ⚠ In MCP usage via Docker, passing environment variables correctly (SHODAN_API_KEY) is required for key-based tools.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for shodan-mcp.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.