Back to skill
Skillv1.0.1
ClawScan security
Domani - domains & emails for lobsters · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 2:33 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requested capabilities and runtime instructions are largely consistent with its stated purpose (domain & email management), with a few minor documentation/installation inconsistencies you should be aware of before installing.
- Guidance
- This skill appears to do what it claims: search, buy, manage domains and mailboxes via the domani.run API. Before installing: (1) Be prepared to provide or create a DOMANI_API_KEY — the skill will store the token in ~/.domani/config.json unless you keep it only in env; (2) the SKILL.md suggests running npx or downloading a zip from domani.run for installation/updates — those actions fetch and run code from the network, so verify the site and package before executing; (3) confirm you’re comfortable the domani.run domain is legitimate and that you won’t reuse a high-privilege/long-lived token elsewhere; (4) if you prefer less persistence, avoid storing the token on disk and pass a limited-scope token in the session instead. Nothing in the files looks intentionally malicious, but verify any downloaded installer (zip or npm package) and review network calls if you have stricter security requirements.
Review Dimensions
- Purpose & Capability
- okThe skill is for domain and email management and only requests curl and an API key (DOMANI_API_KEY), which are appropriate for calling an HTTP API. Examples and recipes align with domain/email workflows (DNS, WHOIS, transfer, mailboxes).
- Instruction Scope
- noteThe SKILL.md instructs the agent to read/write a local CLI config (~/.domani/config.json) and to check the DOMANI_API_KEY env var; these actions are reasonable for a CLI-backed service but the registry metadata did not declare any required config paths. The instructions also recommend running npx commands and downloading a zip from domani.run for installation/updates — normal for third-party skills but worth noting because they pull code from the network.
- Install Mechanism
- noteNo install spec is present in the registry (instruction-only). The SKILL.md documents multiple install paths that include npx and a downloadable domani-skill.zip from domani.run; these are common but involve fetching executable code from the vendor site/npm, so users should treat downloads/automatic npx runs as network-executed code and verify the source.
- Credentials
- noteThe declared primary credential is DOMANI_API_KEY, which is required for actions like buying domains and sending email — appropriate. The SKILL.md also instructs checking and storing a token in ~/.domani/config.json (not listed in registry config paths). No unrelated credentials or broad secrets are requested.
- Persistence & Privilege
- okalways is false (normal). The skill asks to create and store its own config file (~/.domani/config.json) and to store the API token there — this is expected for a CLI-style integration and is limited to the skill's own config.