Namecheap DNS
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s DNS purpose is coherent, but its code builds local shell commands from the domain argument and uses high-power Namecheap API credentials, so it should be reviewed before use.
Only install this if you trust the code and need Namecheap DNS automation. Until the shell-command issue is fixed, do not let the agent run it on domains copied from untrusted text. Use dry-run first, review diffs, keep backups, and protect the Namecheap API environment variables.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed domain value could cause the agent’s computer to run commands beyond DNS lookup.
The CLI domain argument is inserted directly into a shell command. If a crafted domain containing shell metacharacters is used, the local shell could execute unintended commands.
execSync(`dig +short ${fullDomain} ${type}`, {Replace execSync shell strings with execFileSync/spawn using argument arrays, and validate domains with a strict allowlist before running dig.
Incorrect inputs or unsafe use could disrupt website, email, or domain routing records.
The skill performs Namecheap's setHosts operation, which the documentation itself explains replaces all DNS records. This is purpose-aligned and disclosed, but high impact.
await apiRequest('namecheap.domains.dns.setHosts', params);Use dry-run first, review diffs carefully, keep backups, and avoid --force unless you understand the DNS records that may be removed.
Anyone or any agent process able to run this skill with those environment variables can modify Namecheap DNS records for authorized domains.
The skill requires Namecheap API credentials from environment variables and uses them for account-level DNS API calls. This is expected for the stated purpose, but the registry metadata lists no required env vars or primary credential.
API_KEY = getEnv('NAMECHEAP_API_KEY');Declare the required credential variables in metadata, store them securely, restrict Namecheap API access where possible, and only run the skill in trusted sessions.