ClawHub
Back to skill
v0.0.14

name.com registrar

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:58 AM.

Analysis

Review before installing: this skill is transparent about using Name.com, but it gives an external npm MCP server a full Name.com API token that can buy domains and change DNS.

GuidanceInstall only if you want an agent to manage your Name.com account. Start with sandbox credentials, inspect the npm package and repository, IP-whitelist and limit the production token, avoid high-limit payment methods, and require explicit confirmation for every purchase or DNS/nameserver change.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
`register_domain` ... `Provisions and registers a domain via the account’s payment settings` ... `set_nameservers` ... `Replace a domain's nameservers` ... `manage_dns` ... `Create, delete, or list DNS records.`

These tools can make financially consequential registrar changes and public DNS changes. The purchase path is documented with a dry-run token flow, but the DNS and nameserver mutation tools are still high-impact actions.

User impactA mistaken or overly broad agent action could charge the account, break websites or email, or redirect domain traffic.
RecommendationRequire explicit user confirmation for every purchase, nameserver change, DNS creation, and DNS deletion; verify exact domains and record values before allowing the tool to act.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusNote
install spec
`node` | package: `namecom-clawbot` | creates binaries: `namecom-clawbot`

The runnable implementation comes from an external npm package, while the supplied scan context contains no code files beyond SKILL.md.

User impactThe npm package will handle the Name.com token and registrar operations, so package provenance matters before installation.
RecommendationReview the npm package and linked repository, verify published provenance if available, and install in an isolated environment before using production credentials.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
`NAMECOM_USERNAME` | Yes | Name.com account username ... `NAMECOM_TOKEN` | Yes | Name.com API token ... `Name.com does not currently offer per-operation token scopes`

The MCP server requires a real Name.com account credential, and the artifact states that this token cannot be limited to specific operations.

User impactAnyone or anything with access to that token may have broad authority over the connected Name.com account through the API.
RecommendationUse sandbox credentials first, IP-whitelist the token, prefer account credit or payment limits, rotate the token if no longer needed, and avoid exposing it in shared logs or configs.