ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GetPost Domains API

v1.0.0

Register domains, manage DNS, and set up email sending via API.

0· 99·0 current·0 all-time
bydomm@dommholland
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (domain registration, DNS, email) match the runtime instructions which call getpost.dev APIs. However the SKILL.md expects an API key (Authorization: Bearer gp_live_...) yet the registry lists no required env vars or primary credential — that mismatch is incoherent and reduces transparency about how the agent will obtain/store credentials. The source/homepage are also missing, limiting auditability.
Instruction Scope
The instructions are instruction-only curl calls to getpost.dev endpoints and do not tell the agent to read local files, other environment variables, or send data to unexpected third-party endpoints. They stay within the stated domain-management scope.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes installation risk (nothing is written to disk or auto-installed).
!
Credentials
The skill clearly requires an API key to operate (SKILL.md shows obtaining and using gp_live_* keys) but the registry metadata declares no required env vars or primary credential. Additionally SKILL.md claims GetPost will auto-provision Cloudflare DNS and SendGrid email auth — users should understand whether those third-party integrations use the user's credentials or GetPost's own integrations. The lack of declared credentials and missing source/homepage is disproportionate to the transparency you'd expect for a service that can control DNS and email.
Persistence & Privilege
Flags show no always:true and default autonomous invocation is allowed (platform default). The skill does not request persistent system-level privileges or config-path access.
What to consider before installing
This skill appears to be what it says (domain/DNS/email management) but it has a transparency gap: SKILL.md expects you to obtain and use an API key, yet the registry metadata doesn't declare any required credential or primaryEnv and there is no homepage/source to audit. Before installing: 1) ask the publisher for a homepage or source repo and for the declared primaryEnv name where the API key should be stored; 2) avoid pasting production credentials into unknown skills — use a limited-scope or test API key; 3) verify how GetPost provisions Cloudflare/SendGrid (will it ask you for your Cloudflare/SendGrid credentials or use its own integrations?); 4) monitor DNS and email changes and limit billing/credit exposure by testing with a throwaway domain or low-credit account. If the publisher cannot clarify the credential handling and provenance, treat the skill cautiously or decline installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk972b6me7jskpxpd692z71y4e5836jz4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments