ClawHub

Domain Details

v1.2.0

Look up domain WHOIS/RDAP info and check marketplace listings. Free API, no auth required.

4· 2.6k·2 current·2 all-time
by@julianengel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md shows simple HTTP lookups to domain-related endpoints returning WHOIS/RDAP and marketplace listings. However the SKILL.md metadata requires 'curl' (and examples use 'jq') while the registry metadata declared no required binaries — this mismatch should be clarified.
Instruction Scope
Instructions are narrowly scoped to calling the two external APIs and parsing JSON. They do not request local files, credentials, or other system state. Caveat: the README suggests an optional 'npx domaindetails' CLI — running npx will fetch and execute code from the npm registry, which is not the same as a simple API call and increases risk if you run it without vetting the package.
Install Mechanism
There is no install spec and the skill is instruction-only, so nothing is written to disk by the skill package itself. The only install-related action in the docs is an optional 'npx' invocation which would dynamically fetch code from npm; that is not part of an install spec and should be treated as running third-party code.
Credentials
The skill declares no environment variables or credentials and the runtime instructions do not require secrets. This is proportionate for a read-only WHOIS/marketplace lookup skill.
Persistence & Privilege
The skill does not request persistent presence (always=false) and there is no evidence it modifies agent/system configuration. Autonomous invocation is allowed by default (normal).
What to consider before installing
This skill appears to do what it says (curl two public endpoints and parse JSON), but: (1) confirm the API hostnames (mcp.domaindetails.com, api.domaindetails.com) are trustworthy — the skill has no homepage or known publisher; (2) the SKILL.md uses curl and jq but the registry metadata doesn't list required binaries — ensure your environment has curl/jq before use; (3) avoid running 'npx domaindetails' unless you inspect the npm package first, because npx will download and execute code from the npm registry; (4) ask the skill author for provenance (homepage, source repo, or package manifest) and for the declared required binaries to be aligned with SKILL.md; and (5) if you plan to query sensitive domains, remember requests go to the external API (no local-only lookup). If you cannot verify the service origins, treat the skill as untrusted and prefer manual curl calls to inspect responses before automating.

Like a lobster shell, security has layers — review code before you run it.

latestvk978n8h7g7nz1exmjderz4xj3n7yp8e9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
Binscurl

Comments