Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Domain Recommender
v0.1.0Recommend SEO-friendly, brandable domain names for an AI product idea, then verify current availability before returning candidates. Use when the user provid...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description (domain recommendations + availability checks) align with the declared requirements: python3 and dig are reasonable for generating names and performing DNS checks. The references file contains sensible naming heuristics that match the stated purpose.
Instruction Scope
SKILL.md repeatedly instructs the agent to 'use the bundled script' (python3 scripts/generate_candidates.py) and shows examples, but no scripts or code files are included in the package. That is an internal inconsistency: the instructions expect a local generator that doesn't exist. The doc also mandates live registrar and DNS checks (visiting third-party pages), which is appropriate for availability verification but expands the agent's network reach; the skill gives no guidance for which registrar APIs to use or how to safely confirm availability, so the agent might resort to scraping or fetching arbitrary pages.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk, which is low-risk. It does, however, assume the presence of python3 and dig on the host — reasonable for the stated tasks.
Credentials
The skill requests no environment variables, credentials, or config paths. No disproportionate secrets access is requested for the described functionality.
Persistence & Privilege
The skill does not request always: true and does not attempt to modify other skills or system configs. Normal autonomous invocation is allowed but not combined with other elevated privileges.
What to consider before installing
Key points to consider before installing or using this skill:
- The SKILL.md says to run a 'bundled' script (scripts/generate_candidates.py) but the package does not include any scripts. Ask the author to provide the missing script or a corrected SKILL.md before trusting the skill. Without the script, the agent may attempt to fetch code from the web or improvise commands.
- Availability checking requires live queries to registrars or parsing marketplace pages. Be aware that using this skill will cause the agent to make outbound web requests that could reveal your product idea to third parties. If that is sensitive, run the skill in a sandbox or request an offline-only mode.
- The dependence on dig and registrar web checks is sensible for DNS-based heuristics, but dig alone does not prove registrar availability (the doc correctly notes this). Prefer skills/tools that use official WHOIS/registrar APIs if you need authoritative confirmation.
- Because this is instruction-only and lacks bundled code, consider testing behavior in a controlled environment first. If you proceed, ask the maintainer for the missing scripts, a clear list of registrars/APIs the skill will query, and sample outputs so you can audit network targets.
- Overall: the idea is coherent, but the missing script and vague live-check guidance are unresolved issues that make the skill suspicious until clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk97d9y37annewjzcna5d2dzhys83fadn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3, dig