ClawHub
Back to skill
v1.0.0

NextDNS

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:20 AM.

Analysis

This appears to be a read-only NextDNS troubleshooting helper that needs a NextDNS API key and can display sensitive DNS activity, but the artifacts disclose that behavior and keep it purpose-aligned.

GuidanceInstall only if you are comfortable giving the assistant access to a NextDNS API key and DNS log data. Keep queries narrow, avoid raw or broad log dumps unless needed, and personally confirm any future configuration changes or log deletions.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
scripts/nextdns_helper.py
parser.add_argument("--api-key", default=os.getenv("NEXTDNS_API_KEY") ...); ... "X-Api-Key": api_key

The helper reads a NextDNS API key from an environment variable or command-line argument and sends it to the NextDNS API. This is expected for the skill, but it is account-level credential use.

User impactAnyone using the skill must provide a NextDNS API key that can read profile and diagnostic data available to that key.
RecommendationUse only a trusted API key with the minimum needed access, prefer environment-variable entry over command-line arguments, and update registry metadata to declare the credential requirement.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
NextDNS logs can reveal browsing/device activity. Summarize minimally and avoid pasting sensitive domains unless needed.

The skill explicitly handles DNS logs that may expose private browsing or device behavior, and those results may enter the agent conversation/context.

User impactQueries may reveal private domains, devices, or browsing patterns in the assistant output.
RecommendationRetrieve the narrowest time range and filters needed, avoid raw logs unless necessary, and do not share full log output outside the intended workspace.