ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hostinger

v1.0.0

Manage Hostinger account via API — VPS administration (start/stop/restart, snapshots, backups, firewall, Docker), DNS zone management, domain portfolio, website hosting, and billing. Use when asked to deploy, publish, manage servers, configure DNS, or control any Hostinger service.

2· 1.2k·1 current·1 all-time
by@rexlunae
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, reference doc, and the included Python CLI consistently implement Hostinger account management (VPS, DNS, domains, hosting, billing). The required capabilities (API token, HTTP calls) are proportionate to the stated purpose.
Instruction Scope
Runtime instructions and the Python script only read the token file in ~/.config/hostinger/token, local JSON/compose files supplied by the user, and call Hostinger API endpoints. The SKILL.md does not instruct reading unrelated system files or exfiltrating data to non-Hostinger endpoints.
Install Mechanism
There is no install spec (instruction-only skill with an included script). The script depends on Python and the 'requests' library but the registry metadata does not list dependencies; this is benign but the user or integrator should ensure the environment has Python and requests installed before use.
Credentials
The skill requires a Hostinger API token (documented in SKILL.md) stored as a file under ~/.config/hostinger/token. The registry metadata lists no required env vars or credentials — which is consistent because the token is read from disk rather than environment variables. The token grants broad control (VPS, DNS, billing), so users should ensure the token has appropriate scope and protection.
Persistence & Privilege
The skill does not request permanent/always-on inclusion and does not modify other skills or system-wide settings. It will run only when invoked and uses the user's Hostinger token file for API calls.
Assessment
This skill appears to do what it claims: it reads a Hostinger API token from ~/.config/hostinger/token and issues API calls to developers.hostinger.com to manage VPS, DNS, domains, hosting, and billing. Before installing/use: 1) Create a dedicated API token with the minimum scope needed (if Hostinger supports scoped tokens) and store it at ~/.config/hostinger/token with restrictive permissions (chmod 600). 2) Understand the token allows powerful actions (change root password, create/delete VMs, modify DNS, cancel subscriptions); treat it like a secret and revoke it if compromised. 3) Ensure the runtime environment has Python 3 and the 'requests' library installed. 4) If you need stricter auditing, review the full script for any modifications (the provided file only calls Hostinger endpoints). If you don't use Hostinger or don't want remote management enabled, do not provide the token.

Like a lobster shell, security has layers — review code before you run it.

latestvk9769ww6wqtyk6r1mbe1nmws3n80s8a0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments