ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subdomain Hunter

v1.4.0

Performs passive subdomain enumeration using CT logs, DNS zone transfer checks, takeover detection, and optional bruteforce without active probing.

0· 97·0 current·0 all-time
by@snipercat69

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for snipercat69/edgeiq-subdomain-hunter.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Subdomain Hunter" (snipercat69/edgeiq-subdomain-hunter) from ClawHub.
Skill page: https://clawhub.ai/snipercat69/edgeiq-subdomain-hunter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install edgeiq-subdomain-hunter

ClawHub CLI

Package manager switcher

npx clawhub@latest install edgeiq-subdomain-hunter
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (passive subdomain enumeration) is broadly consistent with the included code (crt.sh queries, DNS checks, takeover detection, bruteforce). However SKILL.md repeatedly claims 'no active probing' while the code: performs DNS resolution, attempts TCP connections to port 53 (zone transfer checks), and can run bruteforce—these are active network actions and contradict the passive claim. Also the SKILL.md and README advise using EDGEIQ_EMAIL / license files for Pro/Bundle, but the registry metadata lists no required env vars—an inconsistency.
!
Instruction Scope
Runtime instructions (SKILL.md) instruct users to run the included Python script and to set EDGEIQ_EMAIL for premium features. The doc promises 'passive' recon but the instructions and code enable active checks (AXFR attempts, resolution of many candidate hosts, optional bruteforce). SKILL.md also suggests copying files from a workspace path and using Discord commands, which are operational details outside the skill's declared metadata. The instructions grant the skill discretion to perform network probing beyond purely passive CT scraping.
Install Mechanism
There is no install specification (instruction-only), so nothing will be automatically downloaded/executed during install. The package does include Python files shipped with the skill; that means code will run on invocation but there is no installer that fetches remote archives or binaries. This is lower risk from an install mechanism perspective.
!
Credentials
Registry metadata says no required env vars, but SKILL.md and the code expect/use EDGEIQ_EMAIL and EDGEIQ_LICENSE_KEY and a license file under ~/.edgeiq/license.key. The licensing module also implicitly grants bundle access for a specific email (gpalmieri21@gmail.com). Asking for an email/env var and reading a license file in the user's home is reasonable for licensing, but the mismatch with declared metadata and the hardcoded permissive check for a specific email are noteworthy and unexpected.
Persistence & Privilege
The skill does not request 'always' presence and does not include an install script that writes to system-wide locations. It reads/writes a per-user license file (~/.edgeiq/license.key) which is normal for license management. There is no evidence it modifies other skills or global agent settings.
What to consider before installing
This skill contains working code and will perform network activity when run. Before installing or running it: - Don't trust the 'passive' label: the tool intentionally performs active DNS resolution, AXFR attempts (connecting to port 53), and optional bruteforce. Only run it against domains you own or have explicit written permission to audit. - Metadata omission: the registry says no env vars are required, but the tool uses EDGEIQ_EMAIL, EDGEIQ_LICENSE_KEY and ~/.edgeiq/license.key for licensing—expect to provide these or to have the tool read your home directory. - Licensing quirk: the licensing code contains a hardcoded allowance for a specific email address, and license logic reads files in your home directory. Review edgeiq_licensing.py to ensure it matches your expectations and doesn't unintentionally grant or leak access. - Audit network behavior: the script queries crt.sh (https requests) and performs raw socket connections; if you are in a restrictive environment, run it in an isolated VM or container and inspect network traffic first. - Verify provenance: source/homepage are missing and README points to an external GitHub user. If you need long-term trust, request a canonical source (repo, author identity) and validate the Stripe/payment links and contact email. If you are uncertain, do not run this against real targets or production networks; review the code (subdomain_hunter.py and edgeiq_licensing.py) and run in an isolated environment. If the mismatches above worry you, treat this as potentially risky until provenance and env-var behavior are clarified.
!
subdomain_hunter.py:216
Potential obfuscated payload detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ek6j7cdsn6vg3tt1z1d4nn85h9zz
97downloads
0stars
4versions
Updated 3d ago
v1.4.0
MIT-0
@snipercat69
latest
Download

Subdomain Hunter

Skill Name: subdomain-hunter
Version: 1.0.0
Category: Security / Reconnaissance
Price: Lifetime: $39 / Optional Monthly: $7/mo (all Pro features permanently)
Author: EdgeIQ Labs
OpenClaw Compatible: Yes — Python 3, pure stdlib + socket, WSL + Linux

What It Does

Passive subdomain enumeration using Certificate Transparency logs, DNS zone transfer checks, and takeover detection. Reconnaissance-grade discovery without sending active probes.

⚠️ Legal Notice: Only enumerate domains you own or have explicit written permission to audit. Unauthorized recon is illegal.

Features

  • Certificate Transparency enumeration — scrape crt.sh for subdomain history
  • DNS zone transfer check — attempt AXFR with common NS records
  • Takeover detection — identify subdomains pointing to unclaimed/inactive services (CNAME to dead endpoints)
  • Common subdomain bruteforce — lightweight wordlist scan for common subdomains
  • Subdomain resolution — verify discovered subdomains resolve
  • JSON export — structured output for integration

Tier Comparison

FeatureFreePro ($19/mo)Bundle ($39/mo)
CT log enumeration✅ (50 results)✅ (unlimited)✅ (unlimited)
Zone transfer check
Takeover detection
Bruteforce wordlist✅ (2000 names)✅ (2000 names)✅ (2000 names)
JSON export
Concurrent resolution✅ (50 threads)✅ (50 threads)✅ (50 threads)

Installation

cp -r /home/guy/.openclaw/workspace/apps/subdomain-hunter ~/.openclaw/skills/subdomain-hunter

Usage

Basic scan (free tier — 50 results)

python3 subdomain_hunter.py --domain example.com

Pro scan (unlimited + takeover detection)

EDGEIQ_EMAIL=your_email@gmail.com python3 subdomain_hunter.py --domain example.com --pro

Full bundle scan (bruteforce + concurrent threads)

EDGEIQ_EMAIL=your_email@gmail.com python3 subdomain_hunter.py --domain example.com --bundle --bruteforce

Export to JSON

python3 subdomain_hunter.py --domain example.com --output results.json

Check for takeovers only

python3 subdomain_hunter.py --domain example.com --takeover-only

As OpenClaw Discord Command

In #edgeiq-support channel:

!subdomain example.com
!subdomain example.com --takeover
!subdomain example.com --bruteforce

Parameters

FlagTypeDefaultDescription
--domainstringTarget domain
--proflagFalseEnable Pro features
--bundleflagFalseEnable Bundle features
--bruteforceflagFalseRun common subdomain wordlist
--takeoverflagFalseRun takeover detection
--takeover-onlyflagFalseOnly run takeover detection
--outputstringWrite JSON report to file
--threadsint20/50Concurrent threads (Pro/Bundle)

Output Example

=== Subdomain Hunter ===
example.com
  CT Entries:    47
  Resolved:      31
  Dead:          5
  Takeovers:     2 🔴

  Discovered subdomains:
    api.example.com         ✅ resolves → 1.2.3.4
    staging.example.com    ✅ resolves → 1.2.3.5
    dev.example.com         ❌ DEAD (CNAME to Heroku)
    old.example.com         🔴 TAKEOVER (no CNAME, 404)
    blog.example.com        ✅ resolves → 1.2.3.6

  Zone Transfer:  BLOCKED
  Threat Level:  MEDIUM

Pricing

Lifetime License: $39 — your tool forever, all features included permanently.

Optional Monthly: $7/mo — for those who prefer recurring billing (cancel anytime). 👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo 👉 Subscribe Monthly — $7/mo

Pro Upgrade (deprecated)

All features now included in Lifetime purchase.

Support

Open a ticket in #edgeiq-support or email gpalmieri21@gmail.com

🔗 More from EdgeIQ Labs

edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.

  • 🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
  • 📸 Screenshot API — URL-to-screenshot API for developers
  • 🔔 uptime.check — URL uptime monitoring with alerts
  • 🛡️ headers.check — HTTP security headers analyzer

👉 Visit edgeiqlabs.com →

Comments

Loading comments...