Gandi - Registrar & DNS

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Gandi domain-management tool with powerful but purpose-aligned DNS, email, domain, and certificate actions.

Install only if you are comfortable giving the skill a Gandi token with the scopes you choose. Prefer separate read-only and write tokens, avoid printing or putting tokens in shell profiles, use snapshots before DNS changes, and review any --force, bulk DNS, email-forwarding, DNSSEC, registration, renewal, or certificate command before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Context-Inappropriate Capability

Low

Confidence: 90% confidence
Finding: The helper reads configuration from unrelated local application paths (for example ~/.clawdbot and ~/.moltbot) and resolves environment-variable references from those files, which expands the skill's access beyond its own dedicated Gandi configuration scope. In an agent setting, this creates cross-context secret exposure risk: the skill may ingest credentials or sensitive values from other tools' configs and then use them for network operations or diagnostics, violating least privilege and increasing the blast radius of compromise.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The script advertises itself as updating existing DNS records, but when a record is missing it explicitly falls back to creating a new one. In a DNS-management skill that includes destructive and write operations, this mismatch can cause unintended zone changes if an operator or upstream agent expects a safe update-only action; a typo in name/type or an incorrect assumption about existing state can silently create new records that affect routing, mail delivery, or verification records.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The documentation instructs users to place a live personal access token in a predictable local file path and gives a copy-paste setup script, but the warning about credential sensitivity is separated from that step. This increases the chance users will leave high-value credentials on disk without considering host compromise, backup leakage, accidental file inclusion, or multi-user system exposure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The registration example includes full owner contact details such as name, email, street address, city, ZIP code, country, and phone number, but does not explicitly warn that these fields are sensitive PII sent to an external registrar. In a skill that supports automated domain operations, users may copy real data into requests without understanding the privacy and compliance implications, increasing risk of unintended disclosure.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The transfer section states that auth codes and contact information are required but does not warn that these are sensitive credentials and personal data transmitted during transfer. Auth codes can enable registrar transfer operations, so omitting handling guidance may lead users to expose secrets in logs, prompts, screenshots, or insecure workflows.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guide tells users to display the full API token with `cat ~/.config/gandi/api_token` and even states the expected output is the token itself, which can expose credentials to shoulder-surfing, terminal logging, shell history capture, screen recording, or support screenshots. Because this token grants access to domain and DNS management, accidental disclosure could enable unauthorized DNS changes or domain administration.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The example `curl` commands read the bearer token from disk and send it in authenticated requests, but the documentation does not warn that these commands may leak secrets via shell history, process inspection in some environments, logging wrappers, CI output, or copied terminal transcripts. The commands are legitimate for API testing, but the missing handling guidance makes accidental credential exposure more likely.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The script prints organization labels, names, default status, and sharing IDs directly to stdout. While it does not expose the API token itself, these identifiers are still sensitive operational metadata that can aid reconnaissance, especially if terminal output is logged, shared in screenshots, or collected by CI/job logs.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The helper performs a live DELETE against DNS records with no built-in confirmation, dry-run mode, or snapshot precheck. In an agent skill context with remote side effects, this increases the chance of accidental or prompt-induced destructive changes that can disrupt routing, email delivery, and service availability.

Missing User Warnings

High

Confidence: 91% confidence
Finding: Bulk DNS replacement overwrites the entire record set for a domain and can instantly break websites, mail, verification records, and failover configurations. Without explicit warnings, diff preview, or confirmation, a mistaken or manipulated call can cause large-scale outage and difficult recovery.

Missing User Warnings

High

Confidence: 89% confidence
Finding: Snapshot restore is effectively a destructive rollback of the active DNS zone and can remove recent critical changes without warning. In a tool callable by an agent, this creates a strong risk of accidental service regression or attacker-influenced rollback through prompt misuse.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The remove action performs a destructive local operation immediately after receiving a profile name, with no confirmation prompt, dry-run mode, or force flag semantics. This increases the chance of accidental deletion of stored configuration, which can disrupt operations or remove access to important registrar accounts, especially in multi-profile environments.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: This script sends the user-supplied domain or derived variations to an external registrar API to check availability, but it does not clearly warn the user at runtime that their queried names will be transmitted off-host. Domain ideas can be sensitive business information, and silent disclosure may leak unreleased project names or branding plans to a third party.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: # Delete with confirmation prompt node delete-email-forward.js example.com old # Delete without confirmation node delete-email-forward.js example.com old --force # Delete catch-all forward
Confidence: 75% confidence
Finding: without confirmation

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High

Category: YARA Match
Content: export GANDI_API_TOKEN="YOUR_PERSONAL_ACCESS_TOKEN" # Add to shell profile for persistence (~/.bashrc, ~/.zshrc, etc.) echo 'export GANDI_API_TOKEN="YOUR_PERSONAL_ACCESS_TOKEN"' >> ~/.bashrc ``` **Benefits:**
Confidence: 82% confidence
Finding: echo 'export GANDI_API_TOKEN="YOUR_PERSONAL_ACCESS_TOKEN"' >> ~/.bashrc

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal