Porkbun
v0.1.2Manage Porkbun DNS records and domains via API v3. Use when Codex needs to create, read, update, or delete DNS records on Porkbun; list domains; configure API access; work with common record types (A, AAAA, CNAME, MX, TXT, etc.). The skill includes a CLI tool `scripts/porkbun-dns.js` for executing DNS operations reliably.
⭐ 0· 1.1k·0 current·0 all-time
byWilliam Mantly@wmantly
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description, SKILL.md, package.json, and scripts/porkbun-dns.js all describe the same purpose (manage Porkbun DNS via API v3). The CLI implements list/get/create/edit/delete operations that match the described functionality.
Instruction Scope
Runtime instructions ask the agent/user to provide Porkbun API keys via environment variables or a config file (~/.config/porkbun/config.json). The SKILL.md and the script reference only Porkbun's API endpoints (api.porkbun.com) and local config paths; they do not attempt to read unrelated system files. Note: the top registry summary showed 'Required env vars: none', which contradicts package.json and SKILL.md that require PORKBUN_API_KEY and PORKBUN_SECRET_API_KEY.
Install Mechanism
This is an instruction-only skill with no install spec and a single CLI script included. Nothing is downloaded at install time and no external installers or URLs are used, minimizing install-time risk.
Credentials
The script legitimately needs Porkbun API credentials. package.json and SKILL.md declare PORKBUN_API_KEY and PORKBUN_SECRET_API_KEY and a config path; these are proportionate. Caveat: the registry metadata at the top of the report erroneously listed 'Required env vars: none' — this mismatch should be corrected before trusting automated policies that rely on registry metadata. The tool will read HOME to locate the config file; storing the secret in plaintext at ~/.config/porkbun/config.json is expected but users should ensure file permissions are restricted.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and does not persist beyond its included files. Autonomous invocation is allowed (platform default) but not combined with elevated privileges or unrelated credential access.
Assessment
This skill appears to be what it claims (a Porkbun DNS CLI). Before installing or providing credentials: 1) Verify the skill source (homepage in package.json points to an external git host; confirm you trust the owner). 2) Prefer exporting ephemeral API keys or use a key pair with minimal privileges; rotate keys after use. 3) If using the config file (~/.config/porkbun/config.json), restrict file permissions (e.g., chmod 600). 4) Review the script if possible — it posts credentials only to api.porkbun.com; look for unexpected endpoints. 5) Note the registry metadata inconsistency (it listed no required env vars while package.json and SKILL.md do); correct metadata or confirm requirements before automating deployment. Finally, the script has a minor bug (uses console.err which is undefined) but that is not a security issue — it's a quality note.Like a lobster shell, security has layers — review code before you run it.
latestvk970495zpmjvycwxftr1jy3n1x80zp5k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.