Domainion Ops
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is transparent about managing domains and DNS, but it uses powerful registrar credentials and commands that can buy domains or disrupt websites, so use it only with explicit confirmation.
This skill appears coherent and purpose-aligned, with no code or hidden install behavior. Before using it, make sure you understand that registrar API keys can make real account changes. Approve each paid or destructive action explicitly, review DNS diffs before applying them, and store any API credentials securely.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong or insufficiently reviewed command could change DNS, break email or websites, transfer-sensitive domain state, or incur domain registration or renewal charges.
These are legitimate capabilities for a DNS/registrar operations skill, but they are account- and availability-changing actions where mistakes can cause cost or outages.
Use for registering domains, flipping nameservers, managing DNS records (A, AAAA, CNAME, MX, TXT, NS, SRV), setting up redirects, checking domain availability, renewals, transfers
Require explicit user approval for every purchase, renewal, transfer, nameserver change, full-zone replacement, or delete; show the current state and planned change before executing.
Anyone or any agent process with access to these credentials may be able to manage domains and DNS in the associated registrar account.
Registrar API credentials are expected for this skill, but they are high-privilege secrets that can authorize domain and DNS account changes.
Before any operation, verify credentials exist. Store in env or `~/.domainion`: NAMECOM_TOKEN=your_api_token GODADDY_API_SECRET=your_secret NAMECHEAP_API_KEY=your_api_key
Use least-privilege or provider-scoped API keys where available, avoid pasting secrets into chat, store them in a protected secrets manager or permission-restricted file, and rotate keys after use if exposure is possible.
If existing DNS records are omitted or overwritten, services across the domain could stop working until records are restored and DNS propagates.
A single DNS update can overwrite many records at once. The reference correctly warns about this, but the impact can cascade across websites, email, and verification systems.
Namecheap's `setHosts` REPLACES the entire zone. Always GET existing records first and include them in your PUT.
Export and compare the full DNS zone before applying changes, keep a rollback copy, and perform high-impact DNS changes during a maintenance window when possible.