ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Namecheap DNS

v1.1.0

Manage Namecheap DNS records safely by fetching existing entries, merging changes, auto-backing up, previewing diffs, dry-running, and rolling back updates.

0· 673·1 current·1 all-time
by@jarekbird
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (managing Namecheap DNS) legitimately requires Namecheap API credentials and network access to Namecheap; the code indeed requires NAMECHEAP_API_KEY, NAMECHEAP_USERNAME and NAMECHEAP_API_USER. However the registry metadata declares no required environment variables or primary credential — that's an inconsistency that could mislead users about what secrets are needed. Additionally the code runs system 'dig' commands but the declared required binaries only list node and npm, not dig.
!
Instruction Scope
SKILL.md instructs the user to run npm install and set NAMECHEAP_* env vars, and the script performs network calls (Namecheap API and https://ifconfig.me/ip) and executes system 'dig' via execSync to enumerate live DNS. Those actions are within the DNS-management purpose, but they reference system binaries (dig) and an external IP service that are not reflected in the registry metadata. The script also writes backup files to disk (defaulting to a backups directory under the skill) and will abort if required env vars are missing.
Install Mechanism
There is no automated install spec in the registry (instruction-only), but the package.json and package-lock.json are included and SKILL.md tells users to run npm install in the skill directory. That is a reasonable manual install approach, but users should be aware that running npm install will write node_modules to disk and pull third-party packages (axios and its dependencies).
!
Credentials
The code requires NAMECHEAP_API_KEY, NAMECHEAP_USERNAME, and NAMECHEAP_API_USER (and optionally NAMECHEAP_BACKUP_DIR and DEBUG) — but the registry metadata lists no required env vars or primary credential. Requesting API keys is proportionate to the stated purpose, but the missing declaration is an important mismatch. The script also retrieves the public IP from ifconfig.me (to send to Namecheap for whitelisting).
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes backups to its own backup directory (default relative to the skill or configurable via NAMECHEAP_BACKUP_DIR). It uses execSync to run dig but that is local execution within the skill's scope. Autonomous invocation is allowed (platform default) but is not combined here with other high-risk flags.
What to consider before installing
This skill appears to implement a legitimate Namecheap DNS helper, but the metadata published with the skill is incomplete. Before installing or running it: (1) expect to set NAMECHEAP_API_KEY, NAMECHEAP_USERNAME, and NAMECHEAP_API_USER in your environment — the script will exit without them; (2) ensure the host has 'dig' (the script calls dig via execSync) and you understand npm install will pull dependencies into the skill folder; (3) Namecheap requires your client IP to be whitelisted — the script queries https://ifconfig.me/ip to obtain your IP and sends it to the API; (4) backups are written to disk (default skill/backups or configurable via NAMECHEAP_BACKUP_DIR) so verify the storage location and permissions; (5) review package.json/package-lock.json (axios and common deps) and audit/install in a controlled environment if you don't trust the source. The primary issue is inconsistency between what the skill actually requires and what the registry metadata declares — if you intend to use it, request the publisher correct the metadata or confirm the required env vars and the need for 'dig' before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ah2ecznbrvjk73c6q4b51rd8130k9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
Binsnode, npm

Comments