unhuman
PassAudited by ClawScan on May 1, 2026.
Overview
This domain-management skill is coherent and discloses its high-impact actions, but users should carefully confirm any Bitcoin payment, DNS change, or token-related action.
This skill appears purpose-aligned for managing domains through unhuman.domains. Before installing, be comfortable with an npm CLI that can register or renew domains, change DNS/nameservers, store domain management tokens locally, and optionally spend Bitcoin through agent-wallet. Confirm exact domain names, DNS records, renewal periods, and payment amounts before allowing any mutating command.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used intentionally, this can register or renew domains and spend Bitcoin; if used by mistake, it could cause unwanted charges or domain changes.
The CLI can trigger real Bitcoin payments and domain actions, but the artifact clearly marks wallet payment as requiring explicit user confirmation.
npx unhuman domains register mysite.xyz --wallet --email recovery@example.com ... **Always confirm with the user before using --wallet.** This flag triggers a real bitcoin payment.
Only use `--wallet` after the user explicitly approves the exact domain, price, and payment action. Review DNS and nameserver changes before applying them.
Anyone or any tool with access to these tokens may be able to change DNS, nameservers, or renew domains tied to them.
The skill uses local management tokens that can authorize domain-management operations.
Management tokens: Stored at `~/.unhuman/tokens.json` after successful registration. These tokens are required for DNS/nameserver/renewal operations. Protect this file.
Keep `~/.unhuman/tokens.json` private, avoid exposing token command output in chats or logs, and remove tokens when no longer needed.
Installing the npm package gives that package code execution in the local environment when the CLI is run.
The skill relies on installing an external npm package to provide the CLI, which is expected for this purpose but means trust depends on that package source.
node | package: unhuman | creates binaries: unhuman
Install only from the intended npm package, verify the publisher/version where possible, and consider pinning or auditing the package before use in sensitive environments.