Gandi - Registrar & DNS
v0.2.7Comprehensive Gandi domain registrar integration for domain and DNS management. Register and manage domains, create/update/delete DNS records (A, AAAA, CNAME...
⭐ 1· 2.3k·0 current·0 all-time
byGiddy@chrisagiddings
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, declared requirement for GANDI_API_TOKEN, and included scripts (LiveDNS, domain, email management) are coherent. Required binaries (node, npm) make sense for the provided JavaScript scripts. No unrelated cloud credentials or irrelevant binaries are requested.
Instruction Scope
SKILL.md clearly documents destructive vs read-only scripts, how the token is loaded (env var or ~/.config/gandi/api_token), and explicitly warns to review code and create snapshots. It references local files (contact.json, api_token) and only calls Gandi API endpoints; there is no instruction to read unrelated system state or send data to third-party endpoints beyond Gandi and referenced docs. Note: several scripts perform destructive actions (bulk replace, delete, email-forward creation) — those are expected but high-impact.
Install Mechanism
No install spec is provided (lower surface), and files are bundled with the skill. This avoids arbitrary remote downloads, but the bundle contains many Node scripts and a scripts/package.json — the SKILL.md does not provide a formal npm install step or a published package, so you should inspect package.json and run dependency installation in a controlled environment before executing. No obscure external URLs or extract-from-URL installs were found in the provided content.
Credentials
Only GANDI_API_TOKEN (primary credential) and standard Node tooling are required. The requested credential directly matches the skill's purpose. The SKILL.md documents file- and env-based storage and recommends least-privilege PAT scopes and sandbox testing.
Persistence & Privilege
The skill is not force-installed (always:false) and sets disable-model-invocation:true preventing autonomous model invocation of destructive operations. It does not request system-wide configuration changes or other skills' credentials.
Assessment
This skill appears to be what it says: a Node-based Gandi registrar/DNS tool that legitimately needs a Gandi Personal Access Token. However:
- Treat it as high-impact: many scripts are destructive (bulk replace, delete, restore snapshots, email-forward creation). Always use read-only tokens for queries and create separate write-scoped tokens only when you intend to modify resources.
- Source verification: the skill bundle contains code but the registry 'source' and homepage are unknown. Before running anything, inspect the scripts (especially gandi-api.js and any scripts that build requests) and review scripts/package.json for dependencies. Run in a sandbox or test account (use the Gandi sandbox API URL) first.
- Dependency/install gap: there is no install spec; you may need to run npm install in the scripts directory — do this in an isolated environment and review dependencies beforehand.
- Credential handling: follow the SKILL.md advice — store PATs with least privilege, use file permissions 600 or environment variables supplied by a secrets manager, and rotate/revoke tokens after testing.
If you want higher assurance, ask the publisher for a canonical source URL (repo/homepage) or request a signed release build and a dependency manifest before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97897r7r2ymfna6efcad3yn8n821yvr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, npm
EnvGANDI_API_TOKEN
Primary envGANDI_API_TOKEN