Back to skill
Skillv1.0.0
ClawScan security
Nex Domains · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 5, 2026, 3:20 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and environment requirements are broadly consistent with a domain portfolio manager; no clear signs of data-exfiltration or unrelated privileges, but there are a few inconsistencies and sensitive configuration items you should review before installing.
- Guidance
- This package appears to be a legitimate domain portfolio CLI: it uses whois/dig/openssl for checks and the Cloudflare API when you set CF_API_TOKEN. Before installing: (1) Review setup.sh — it creates ~/.nex-domains, initializes an SQLite DB and installs a wrapper in ~/.local/bin. (2) Do not export sensitive credentials (CF_API_TOKEN, TRANSIP private key) system-wide unless you trust and need the API sync features; TRANSIP_PRIVATE_KEY_PATH points to a private key file on disk. (3) Note the metadata mismatch: the registry lists env vars as required while the README marks them optional — the tool should work for local/manual tracking without credentials. (4) Run in a sandbox or test account if possible, and inspect log/database files in ~/.nex-domains for any unexpected data. If you want, I can point out the exact lines that read environment variables and where the setup script writes files.
Review Dimensions
- Purpose & Capability
- noteName/description (multi-registrar domain manager) matches the binaries (whois, dig, openssl) and Cloudflare/TransIP env vars. However, registry metadata lists CF_API_TOKEN, CF_EMAIL, TRANSIP_LOGIN, and TRANSIP_PRIVATE_KEY_PATH as required env vars while the SKILL.md/README describe those variables as optional for API sync — this mismatch between 'required' and 'optional' is an inconsistency to be aware of.
- Instruction Scope
- okSKILL.md instructs running the supplied setup.sh and using the nex-domains CLI to perform local WHOIS, DNS, SSL, HTTP checks and optional Cloudflare/TransIP syncs. The runtime instructions and code operate on local data (~/ .nex-domains) and call only the registrar APIs (Cloudflare) when configured. I found no instructions that ask the agent to read unrelated system files or send data to unexpected external endpoints.
- Install Mechanism
- noteThere is no registry 'install' spec, but the package includes a setup.sh script that will initialize the DB, create ~/.nex-domains, and install a wrapper in ~/.local/bin. That is normal for a CLI tool, but the lack of a declared install mechanism in registry metadata is a minor inconsistency — review setup.sh before running since it writes files and creates a symlink.
- Credentials
- concernRequested env vars match Cloudflare/TransIP integration needs. However TRANSIP_PRIVATE_KEY_PATH points to a local private key path (sensitive) and the registry marks these env vars as required while SKILL.md says they are optional for sync. Requiring or encouraging a private key path is proportional only if you actually intend to perform registrar operations; avoid supplying long-lived credentials unless necessary.
- Persistence & Privilege
- okThe skill does not request 'always: true' and uses a local data directory (~/.nex-domains). The setup script writes to the user's home directory and installs a CLI wrapper under ~/.local/bin — standard behavior for a CLI tool and not an elevated privilege in the skill metadata.