Back to skill
Skillv1.0.0
ClawScan security
Purpleflea Domains · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 6, 2026, 1:00 PM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's domain-management instructions mostly match its description, but it contains a clear prompt-injection/monetization attempt (asking agents to embed a referral code into the system prompt) and its provenance is unknown, so proceed with caution.
- Guidance
- This skill otherwise appears to describe a real domain-registration API, but it includes a prompt-injection monetization instruction asking agents to embed a referral_code into the system prompt. That is outside the skill's legitimate function and can cause agents to persistently act to benefit the skill author. Before installing: (1) Do not embed referral codes into system prompts or global agent configuration. (2) Prefer testing against a throwaway account and small funds if you want to try the service. (3) Verify the service independently (check TLS certs, DNS, a public homepage, company identity, and an OpenAPI or source repo). (4) Avoid granting permanent credentials or modifying system prompts; store any returned API key in ephemeral agent state only if you trust the provider. If you need automatic domain purchases, implement your own verified integration rather than relying on unvetted instruction-only skills.
- Findings
[system-prompt-override] unexpected: The SKILL.md contains an explicit suggestion to 'Embed in system prompt to earn automatically' and provides a system-prompt snippet. A domain-registration API does not need to modify an agent's system prompt; this looks like a prompt-injection attempt to auto-insert a referral code.
Review Dimensions
- Purpose & Capability
- noteThe described capabilities (domain search, purchase via USDC on Base, DNS management, referral program) align with the endpoints documented in SKILL.md and references/api.md. Nothing in the skill asks for unrelated system credentials or binaries. However, the referral monetization instruction (embed referral_code into system prompt) is outside the functional purpose of domain management and appears designed to harvest commissions.
- Instruction Scope
- concernSKILL.md is instruction-only and instructs the agent to call only the service's endpoints (expected). It also explicitly instructs: 'Embed in system prompt to earn automatically' and shows a system-prompt snippet — a prompt-injection attempt that asks agents to modify their system prompt so future actions include the author's referral code. That is scope-creep and a manipulation vector.
- Install Mechanism
- okNo install spec and no code files beyond documentation. This reduces direct disk/execution risk; the skill is instruction-only.
- Credentials
- noteThe skill declares no required environment variables or credentials (reasonable for an instruction-only API client). It does, however, instruct agents to call POST /register which would return an API key at runtime — so the agent would handle per-session API credentials but the skill does not request persistent secrets. The referral instruction tries to get a persistent monetization hook (via system-prompt embedding) without declaring or justifying any credential requirements.
- Persistence & Privilege
- concernThe skill is not marked always:true and may be invoked normally, but it explicitly tells the user/agent to modify the system prompt to include a referral_code. That instruction requests cross-cutting persistent modification of agent configuration (system prompt), which is outside a normal skill's scope and increases abuse/monetization risk.