Skillv1.0.0

ClawScan security

Subdomain Enum · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 1:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with a subdomain enumeration tool and do not request unrelated credentials or hidden endpoints.
Guidance: This skill is a straightforward subdomain enumerator. Before installing/running: only scan domains you own or are authorized to test; review any custom wordlist files you pass in (they may contain words that expand scan scope); be aware the script will write output to any file path you specify (avoid overwriting important files and don't run it as root). Installing the 'requests' package requires network access and appropriate permissions in the environment. If you plan to let an agent invoke this automatically, ensure network egress to crt.sh is acceptable and that the agent is not given broader file-system access than necessary.

Purpose & Capability: okName and description match the included script and SKILL.md: DNS brute-force and crt.sh lookups are exactly what the script implements; no unrelated binaries, env vars, or services are requested.
Instruction Scope: noteSKILL.md simply instructs running the included Python script and documents options. The script may read a user-supplied wordlist file and can write results to a file — both expected for this tool, but these capabilities mean it can access arbitrary paths you pass as arguments.
Install Mechanism: noteNo install spec; the only runtime dependency is the widely used 'requests' package (pip). This is proportionate, but installing packages via pip requires network access and privileges in the environment where the agent runs.
Credentials: okNo environment variables, credentials, or config paths are required. The script only performs DNS lookups and HTTPS requests to crt.sh; requested capabilities are minimal and aligned with the purpose.
Persistence & Privilege: okSkill is not always-enabled and does not modify other skills or system-wide settings. It does not persist credentials or enable itself.