Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DomainForAgents
v1.0.0Search, register, and manage internet domains for AI agents via DomainForAgents API.
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes searching, registering, and managing domains via an API, which is coherent with the skill name and description. However, the registry metadata lists no homepage/source while the instructions reference https://domainforagents.io and an npm package (@domainforagents/mcp). The absence of declared primary credentials in the metadata is inconsistent with the API-key-based workflow described in the instructions.
Instruction Scope
Runtime instructions are focused on calling the DomainForAgents REST API (curl examples) and optionally installing an MCP helper via npx. The instructions do not ask the agent to read arbitrary local files or other unrelated environment variables. They do, however, instruct the user/agent to export an API key and to perform payment-related operations (Stripe/USDC).
Install Mechanism
There is no install spec in the registry (instruction-only), which is low-risk. The SKILL.md recommends installing an MCP server helper via npx @domainforagents/mcp; running npx executes remote package code on the machine and is a potentially risky operation if the package/source is untrusted. Links provided point to domainforagents.io and npm; the skill does not include a vetted install manifest.
Credentials
The SKILL.md clearly expects an API key (DOMAINFORAGENTS_API_KEY or Authorization: Bearer) and shows payment flows (Stripe tokenization, USDC deposit). The registry metadata, however, lists no required environment variables or primary credential. This mismatch (undeclared but required API key and potentially sensitive payment endpoints) is disproportionate to what the metadata advertises and reduces transparency about secrets the skill will use.
Persistence & Privilege
The skill does not request always:true, has no OS restrictions, and does not request config paths or system-wide changes. It appears not to request elevated or persistent platform privileges.
What to consider before installing
This skill appears to be a wrapper around a domain-registration API and largely behaves as described, but there are gaps and risks to consider before installing: 1) Metadata does not declare the API key that the SKILL.md requires—ask the publisher to list required env vars and a verified homepage/source. 2) The SKILL.md recommends running an npm package via npx; only run that if you trust the npm package and its publisher. 3) Payment flows (Stripe, USDC on Solana) mean you may be interacting with real money—verify deposit addresses and billing behavior on the provider's official site. 4) Treat any API key issued by the service as a secret; prefer skills whose registry metadata explicitly declares required credentials. If you need to proceed, request the publisher to provide a canonical homepage, OpenAPI spec hosting under their domain, and a declared primaryEnv in the registry so you can audit the integration; otherwise consider this skill suspicious and proceed cautiously.Like a lobster shell, security has layers — review code before you run it.
latestvk97ac23mk3nn34961sbqjn3d8184r40m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.