Namecheap DNS
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: namecheap-dns Version: 1.1.0 The skill's stated purpose and overall design are benign, aiming to provide a safer wrapper for Namecheap DNS management. However, the `namecheap-dns.js` script contains a shell injection vulnerability. User-controlled inputs (`fullDomain` and `sub`) are directly interpolated into `execSync` calls for the `dig` command (e.g., `execSync(`dig +short ${fullDomain} ${type}`)`). This lack of input sanitization could allow an attacker to execute arbitrary commands if they can control the domain argument, making it a critical vulnerability, but not evidence of intentional malicious behavior.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed domain value could cause the agent’s computer to run commands beyond DNS lookup.
The CLI domain argument is inserted directly into a shell command. If a crafted domain containing shell metacharacters is used, the local shell could execute unintended commands.
execSync(`dig +short ${fullDomain} ${type}`, {Replace execSync shell strings with execFileSync/spawn using argument arrays, and validate domains with a strict allowlist before running dig.
Incorrect inputs or unsafe use could disrupt website, email, or domain routing records.
The skill performs Namecheap's setHosts operation, which the documentation itself explains replaces all DNS records. This is purpose-aligned and disclosed, but high impact.
await apiRequest('namecheap.domains.dns.setHosts', params);Use dry-run first, review diffs carefully, keep backups, and avoid --force unless you understand the DNS records that may be removed.
Anyone or any agent process able to run this skill with those environment variables can modify Namecheap DNS records for authorized domains.
The skill requires Namecheap API credentials from environment variables and uses them for account-level DNS API calls. This is expected for the stated purpose, but the registry metadata lists no required env vars or primary credential.
API_KEY = getEnv('NAMECHEAP_API_KEY');Declare the required credential variables in metadata, store them securely, restrict Namecheap API access where possible, and only run the skill in trusted sessions.