Nex Domains
v1.0.0Comprehensive domain portfolio manager for managing multiple domains across different registrars (Cloudflare, TransIP, and others). Monitor domain expiration...
⭐ 1· 26·0 current·0 all-time
byNex AI@nexaiguy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (multi-registrar domain manager) matches the binaries (whois, dig, openssl) and Cloudflare/TransIP env vars. However, registry metadata lists CF_API_TOKEN, CF_EMAIL, TRANSIP_LOGIN, and TRANSIP_PRIVATE_KEY_PATH as required env vars while the SKILL.md/README describe those variables as optional for API sync — this mismatch between 'required' and 'optional' is an inconsistency to be aware of.
Instruction Scope
SKILL.md instructs running the supplied setup.sh and using the nex-domains CLI to perform local WHOIS, DNS, SSL, HTTP checks and optional Cloudflare/TransIP syncs. The runtime instructions and code operate on local data (~/ .nex-domains) and call only the registrar APIs (Cloudflare) when configured. I found no instructions that ask the agent to read unrelated system files or send data to unexpected external endpoints.
Install Mechanism
There is no registry 'install' spec, but the package includes a setup.sh script that will initialize the DB, create ~/.nex-domains, and install a wrapper in ~/.local/bin. That is normal for a CLI tool, but the lack of a declared install mechanism in registry metadata is a minor inconsistency — review setup.sh before running since it writes files and creates a symlink.
Credentials
Requested env vars match Cloudflare/TransIP integration needs. However TRANSIP_PRIVATE_KEY_PATH points to a local private key path (sensitive) and the registry marks these env vars as required while SKILL.md says they are optional for sync. Requiring or encouraging a private key path is proportional only if you actually intend to perform registrar operations; avoid supplying long-lived credentials unless necessary.
Persistence & Privilege
The skill does not request 'always: true' and uses a local data directory (~/.nex-domains). The setup script writes to the user's home directory and installs a CLI wrapper under ~/.local/bin — standard behavior for a CLI tool and not an elevated privilege in the skill metadata.
Assessment
This package appears to be a legitimate domain portfolio CLI: it uses whois/dig/openssl for checks and the Cloudflare API when you set CF_API_TOKEN. Before installing: (1) Review setup.sh — it creates ~/.nex-domains, initializes an SQLite DB and installs a wrapper in ~/.local/bin. (2) Do not export sensitive credentials (CF_API_TOKEN, TRANSIP private key) system-wide unless you trust and need the API sync features; TRANSIP_PRIVATE_KEY_PATH points to a private key file on disk. (3) Note the metadata mismatch: the registry lists env vars as required while the README marks them optional — the tool should work for local/manual tracking without credentials. (4) Run in a sandbox or test account if possible, and inspect log/database files in ~/.nex-domains for any unexpected data. If you want, I can point out the exact lines that read environment variables and where the setup script writes files.Like a lobster shell, security has layers — review code before you run it.
latestvk97677zh9etxfm54as1983qec9848h0v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌐 Clawdis
Binspython3, whois, dig, openssl
EnvCF_API_TOKEN, CF_EMAIL, TRANSIP_LOGIN, TRANSIP_PRIVATE_KEY_PATH