ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Porkbun Domains & DNS

v1.0.0

Manage domains and DNS via the Porkbun API. Use when asked to list domains, check domain availability, manage DNS records (A, AAAA, CNAME, MX, TXT, etc.), up...

0· 92·0 current·0 all-time
by@danielgrobelny

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for danielgrobelny/porkbun-domains.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Porkbun Domains & DNS" (danielgrobelny/porkbun-domains) from ClawHub.
Skill page: https://clawhub.ai/danielgrobelny/porkbun-domains
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install porkbun-domains

ClawHub CLI

Package manager switcher

npx clawhub@latest install porkbun-domains
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, and requested secrets (PORKBUN_API_KEY, PORKBUN_SECRET_KEY) align with the Porkbun API functionality implemented in scripts/porkbun.sh. No unrelated credentials, services, or binaries are requested.
!
Instruction Scope
SKILL.md directs use of scripts/porkbun.sh and documents reading keys from env or ~/.openclaw/workspace/.env. The script loads that .env using: eval "$(grep '^PORKBUN_' "$ENV_FILE" | sed 's/^/export /')" — this will execute any shell code appended to those lines, allowing arbitrary command execution if the .env is tampered with. The script also assumes runtime tools (curl, jq) are available but does not declare them.
Install Mechanism
Instruction-only skill with a bundled shell script and no install spec — low-install risk. However, the script relies on external tools (curl, jq, bash) at runtime; those are not enforced or documented as required binaries in the registry metadata.
Credentials
Only Porkbun API keys are required, which is proportionate. But the script reads a workspace .env file (OPENCLAW_WORKSPACE or ~/.openclaw/workspace/.env): exporting lines wholesale via eval can execute arbitrary code if the .env contains malicious content. The use of OPENCLAW_WORKSPACE is reasonable but increases the chance of reading unexpected files if that path is shared.
Persistence & Privilege
Skill is user-invocable, not always-enabled, and does not request elevated platform privileges or modify other skills. Autonomous invocation is allowed by default (disable-model-invocation: false) but is not combined with other wide privileges here.
What to consider before installing
This skill appears to do what it claims (Porkbun domain/DNS management) and only needs your Porkbun API keys. However, the bundled script unsafely uses eval to export variables from a workspace .env file — if that .env is modified by an attacker or contains unexpected content, the script could execute arbitrary shell commands. Before installing or running: (1) inspect scripts/porkbun.sh yourself (you already have it); (2) avoid placing untrusted content in ~/.openclaw/workspace/.env or set PORKBUN_API_KEY and PORKBUN_SECRET_KEY directly in your environment instead; (3) ensure runtime tools (curl, jq, bash) are available; (4) consider patching the script to safely parse the .env (do not use eval; parse assignments and strip unsafe characters) or refuse to read a .env file at all. If the .env loading were rewritten to avoid eval (or removed) and runtime dependencies documented, this would be coherent and lower-risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97epmjq2xbb2zhf8t3m1qyxrs83mr7z
92downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@danielgrobelny
latest
Download

Porkbun Domains & DNS

Manage domains and DNS records via the Porkbun API v3.

Setup

API keys: PORKBUN_API_KEY and PORKBUN_SECRET_KEY in environment or ~/.openclaw/workspace/.env.

Get keys at: https://porkbun.com/account/api

Shell Script

All operations via scripts/porkbun.sh. Run with bash <skill-dir>/scripts/porkbun.sh <command>.

Domain Commands

porkbun.sh ping                    # Test API connection
porkbun.sh list                    # List all domains (status, expiry, auto-renew)
porkbun.sh check example.com       # Check availability + pricing
porkbun.sh ns example.com          # Get current nameservers
porkbun.sh ns-update example.com ns1.cf.com ns2.cf.com  # Update nameservers
porkbun.sh auto-renew example.com on|off
porkbun.sh pricing                 # All TLD pricing (no auth needed)

DNS Commands

porkbun.sh dns-list example.com                        # List all records
porkbun.sh dns-create example.com A @ 76.76.21.21 600  # Create A record
porkbun.sh dns-create example.com CNAME www cname.vercel-dns.com
porkbun.sh dns-create example.com MX @ mail.example.com 300
porkbun.sh dns-create example.com TXT @ "v=spf1 include:_spf.google.com ~all"
porkbun.sh dns-delete example.com <record-id>
porkbun.sh dns-delete-type example.com A www            # Delete by type+name

URL Forwarding

porkbun.sh forward-add example.com https://target.com          # Root forward
porkbun.sh forward-add example.com https://target.com www      # Subdomain
porkbun.sh forward-add example.com https://target.com "" permanent
porkbun.sh forward-list example.com
porkbun.sh forward-delete example.com <id>

SSL

porkbun.sh ssl example.com         # Retrieve SSL cert bundle

Common Workflows

Point domain to Vercel

porkbun.sh dns-create example.com A @ 76.76.21.21
porkbun.sh dns-create example.com CNAME www cname.vercel-dns.com

Point domain to Cloudflare (DNS proxy)

porkbun.sh ns-update example.com adam.ns.cloudflare.com betty.ns.cloudflare.com

Redirect domain to another

porkbun.sh forward-add old-domain.com https://new-domain.com "" permanent

API Details

  • Base URL: https://api.porkbun.com/api/json/v3
  • All requests: HTTP POST with JSON body containing apikey + secretapikey
  • Rate limits apply — avoid tight loops, serialize requests
  • Domain registration via API is supported but use the dashboard for purchases
  • .de domains do not support WHOIS privacy (DENIC limitation)

Response Parsing

All responses include "status": "SUCCESS" or "status": "ERROR". Parse with jq:

porkbun.sh list | jq '.domains[] | {domain, status, expireDate}'
porkbun.sh dns-list example.com | jq '.records[] | {id, type, name, content}'

Comments

Loading comments...