ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Domain availability API built for AI agents. Check single domains, explore names across .com/.io/.ai/.dev/etc, filter by budget, get smart suggestions. Returns proper JSON/TXT with correct Content-Type headers.

v1.0.1

The world's

3· 1.8k·0 current·0 all-time
by@gregm711
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and runtime instructions consistently describe a domain registrar API (lookups, quotes, purchases, DNS and nameserver management). The declared requirements list no binaries or environment variables, which is consistent with an instruction-only skill that calls an external HTTPS API. The only oddity is the metadata field 'primaryEnv: any' (ambiguous) but this does not materially change the skill's declared purpose.
Instruction Scope
SKILL.md only instructs the agent to call HTTPS endpoints at https://clawdaddy.app and to save/use a returned managementToken for management operations. It does not direct reading of unrelated files, system paths, or extraneous environment variables, nor does it instruct exfiltration to third-party endpoints other than the service's own base URL.
Install Mechanism
No install spec and no code files — instruction-only — so nothing is written to disk or downloaded at install time. This is the lowest-risk install model.
Credentials
The skill declares no required env vars and no config paths, which is appropriate. However metadata includes 'primaryEnv: any' (and registry 'Primary credential: any') — ambiguous and unexplained. The real sensitive artifact here is the managementToken returned at purchase; the skill correctly states it must be saved and used as a Bearer token. Users should treat that token as a secret and ensure the agent/platform stores it securely.
Persistence & Privilege
always is false and the skill does not request elevated persistence. It does not attempt to modify other skills or global agent settings. Autonomous invocation (model-invocation enabled) is the platform default and not a concern by itself.
Assessment
This skill appears to be what it claims: an AI-oriented domain registrar API. Before installing, verify the service URL (https://clawdaddy.app) is legitimate and trustworthy. Be cautious with any managementToken you receive — treat it like a password and do not expose it to other agents or services. Note the SKILL.md metadata 'primaryEnv: any' is ambiguous; confirm whether the platform will prompt for credentials and what it will store. When purchasing, double-check the payment flow (x402/Stripe) and never share secrets or private keys with an agent unless you understand how they're stored and used.

Like a lobster shell, security has layers — review code before you run it.

latestvk973057kb2ndrg1ctk71bvmdgd80cx1h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Primary envany

Comments