Namecheap DNS

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence

ASI05: Unexpected Code Execution

What this means

A malicious or malformed domain value could cause the agent’s computer to run commands beyond DNS lookup.

Why it was flagged

The CLI domain argument is inserted directly into a shell command. If a crafted domain containing shell metacharacters is used, the local shell could execute unintended commands.

Skill content

execSync(`dig +short ${fullDomain} ${type}`, {

Recommendation

Replace execSync shell strings with execFileSync/spawn using argument arrays, and validate domains with a strict allowlist before running dig.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

Incorrect inputs or unsafe use could disrupt website, email, or domain routing records.

Why it was flagged

The skill performs Namecheap's setHosts operation, which the documentation itself explains replaces all DNS records. This is purpose-aligned and disclosed, but high impact.

Skill content

await apiRequest('namecheap.domains.dns.setHosts', params);

Recommendation

Use dry-run first, review diffs carefully, keep backups, and avoid --force unless you understand the DNS records that may be removed.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent process able to run this skill with those environment variables can modify Namecheap DNS records for authorized domains.

Why it was flagged

The skill requires Namecheap API credentials from environment variables and uses them for account-level DNS API calls. This is expected for the stated purpose, but the registry metadata lists no required env vars or primary credential.

Skill content

API_KEY = getEnv('NAMECHEAP_API_KEY');

Recommendation

Declare the required credential variables in metadata, store them securely, restrict Namecheap API access where possible, and only run the skill in trusted sessions.

Findings (2)

critical

suspicious.dangerous_exec

Location: namecheap-dns.js:127
Finding: Shell command execution detected (child_process).

critical

suspicious.env_credential_access

Location: namecheap-dns.js:16
Finding: Environment variable access combined with network send.