ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Domain Check

v1.0.0

Check domain availability via Vercel and buy/manage domains via Vercel CLI

0· 495·3 current·3 all-time
by@brennerspear
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description match the SKILL.md: it uses the Vercel CLI and Vercel Registrar API to check availability and buy domains. However, the skill does not declare any required credentials or env vars even though the instructions clearly require a Vercel token/team ID and CLI authentication. That omission is a material inconsistency.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to read the Vercel CLI auth file (~/.local/share/com.vercel.cli/auth.json) and config (~/.local/share/com.vercel.cli/config.json) or to use a VERCEL_TOKEN/VERCEL_TEAM_ID env var. It also demonstrates exec(...) calls (including interactive buys with pty:true) and curl POSTs that would actually purchase domains. These instructions access local credential files and allow high-impact actions (purchasing domains) that are not declared in the skill metadata.
Install Mechanism
There is no install spec and no code files; this instruction-only approach minimizes disk-write risk. However, the instructions assume external tooling (npx, jq, curl, Vercel CLI) that the environment must have, which is not declared in required binaries.
!
Credentials
The skill requires a Vercel token and (optionally) a team ID to operate, and it demonstrates reading those from local files — yet requires.env and primary credential are empty. It also references jq, npx and curl but none are listed as required binaries. Requesting or reading tokens is expected for this purpose, but failing to declare them is a proportionality/visibility problem and increases risk of accidental credential access/exfiltration.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system configs. It can invoke interactive commands (buy flows), which is normal for its purpose, but that capability combined with undeclared credential access raises risk — the permission model is otherwise standard.
What to consider before installing
This skill appears to be functionally what it claims (Vercel domain checks and buys) but the runtime instructions expect access to your Vercel CLI token and team config files (or VERCEL_TOKEN / VERCEL_TEAM_ID) even though the skill metadata lists no required credentials. Before installing or enabling this skill: 1) Verify the skill source and trustworthiness (there is no homepage and the owner is unknown). 2) Be cautious about giving the agent filesystem access or allowing autonomous runs that could read ~/.local/share/com.vercel.cli/auth.json and use that token. 3) Ensure npx, jq, curl and the Vercel CLI are present if you intend to use it; confirm the skill declares those requirements or run it in a restricted environment. 4) If you don't want accidental purchases, disallow interactive execs or require manual confirmation for any buy/POST operations. 5) Demand that the skill metadata be updated to declare the VERCEL_TOKEN/VERCEL_TEAM_ID requirements (or explicitly state that it will read the Vercel CLI files) so you can make an informed permission decision.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dqy8zf749y2sd1p506hgb5x81tykc
495downloads
0stars
1versions
Updated 5h ago
v1.0.0
MIT-0
@brennerspear
latest
Download

Domain Check & Buy (Vercel)

Check domain availability, pricing, and purchase — all via Vercel.

Quick Reference

# Check availability + pricing for a name across TLDs
domain-check myproject

# Check specific TLDs
domain-check myproject com,io,dev,app,ai

# Buy a domain (interactive — needs pty:true)
npx vercel domains buy mydomain.com

# List your owned domains
npx vercel domains list

# Inspect a domain you own
npx vercel domains inspect mydomain.com

# Add domain to a Vercel project
npx vercel domains add mydomain.com my-project

# Transfer a domain into Vercel
npx vercel domains transfer-in mydomain.com

How It Works

Availability Check (domain-check)

Uses the Vercel Registrar API (/v1/registrar/domains/{domain}/price):

  • purchasePrice: null → domain is taken
  • purchasePrice: <number> → domain is available at that price
$ domain-check myproject
Checking: myproject
-----------------------------------------------------------
DOMAIN                    STATUS         BUY PRICE    RENEWAL
-----------------------------------------------------------
myproject.com             ❌ Taken       -            $11.25
myproject.io              ✅ Available   $46.00       $46.00
myproject.dev             ✅ Available   $13.00       $13.00
-----------------------------------------------------------
Prices from Vercel Registrar

Buying (npx vercel domains buy)

Interactive command — requires pty: true when calling from exec.

# Example exec call
exec(command: "npx vercel domains buy myproject.dev", pty: true, timeout: 30)

The CLI will show price and ask for confirmation before charging.

API Direct (for scripts)

VERCEL_TOKEN=$(jq -r '.token' ~/.local/share/com.vercel.cli/auth.json)
TEAM=$(jq -r '.currentTeam // empty' ~/.local/share/com.vercel.cli/config.json)
TEAM_PARAM="${TEAM:+?teamId=$TEAM}"

# Check price/availability
curl -s "https://api.vercel.com/v1/registrar/domains/example.com/price${TEAM_PARAM}" \
  -H "Authorization: Bearer $VERCEL_TOKEN"
# Returns: { "years": 1, "purchasePrice": 11.25, "renewalPrice": 11.25, "transferPrice": 11.25 }
# purchasePrice: null = taken, number = available

# Buy via API
curl -s -X POST "https://api.vercel.com/v1/registrar/domains${TEAM_PARAM}" \
  -H "Authorization: Bearer $VERCEL_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "example.com"}'

Vercel CLI Domain Commands

CommandDescription
npx vercel domains listShow all domains
npx vercel domains inspect <domain>Domain info (owned domains only)
npx vercel domains buy <domain>Purchase (interactive)
npx vercel domains add <domain> <project>Add to Vercel project
npx vercel domains move <domain> <dest>Transfer to another team
npx vercel domains transfer-in <domain>Transfer in to Vercel
npx vercel domains remove <domain>Remove from team

Typical TLD Pricing (Vercel)

TLD~Price/yr
.com$11.25
.dev$13
.app$15
.co$27
.io$46
.ai$140
.org$9.99
.net$13.50
.xyz$13

Auth

Requires Vercel CLI authentication (npx vercel login). Token is read from ~/.local/share/com.vercel.cli/auth.json.

Team ID is auto-detected from Vercel CLI config, or set VERCEL_TEAM_ID env var to override. If neither is set, the personal account is used.

Notes

  • Vercel registrar API replaced the old v4 domains/price endpoint (sunsetted Nov 2025)
  • domains inspect only works for domains you own — use the price API for availability
  • .ai domains are expensive ($140/yr) across all registrars
  • When buying via CLI, use pty: true for the interactive confirmation prompt

Comments

Loading comments...