ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

EdgeIQ Subdomain Hunter

v1.0.0

Performs passive subdomain enumeration using CT logs, DNS zone transfer checks, takeover detection, and optional bruteforce without active probing.

0· 40·0 current·0 all-time
by@snipercat69

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for snipercat69/edgeiq-subdomain-hunter.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "EdgeIQ Subdomain Hunter" (snipercat69/edgeiq-subdomain-hunter) from ClawHub.
Skill page: https://clawhub.ai/snipercat69/edgeiq-subdomain-hunter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install snipercat69/edgeiq-subdomain-hunter

ClawHub CLI

Package manager switcher

npx clawhub@latest install edgeiq-subdomain-hunter
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description promises 'passive' enumeration (CT logs, no active probing) but the code performs active DNS resolution, bruteforce queries, and attempts zone transfer/AXFR-like TCP interactions — these are active probes. The skill also includes a licensing/payment model even though registry metadata lists no required credentials or config. This mismatch between advertised 'passive' behavior and implemented active network probing is a substantive inconsistency.
!
Instruction Scope
SKILL.md and README instruct the user to set EDGEIQ_EMAIL or a license file to unlock Pro/Bundle and to run the Python script; the runtime code contacts crt.sh and performs DNS/hostname resolution and takeover checks. The docs repeatedly claim 'no active probing' while instructing bruteforce and AXFR checks. The instructions also propose using the skill from Discord, and include external links (Stripe, Discord) — those endpoints are expected for a paid tool, but the omission of EDGEIQ_* env vars from declared requirements is a scope mismatch.
Install Mechanism
There is no install spec (instruction-only), and no external binary downloads — the distribution is just Python files. This is lower risk than arbitrary remote downloads, but the package does include executable code that will run network operations. Also the SKILL.md implies copying files into ~/.openclaw/skills; the presence of code files contradicts the 'instruction-only' framing in metadata (minor inconsistency).
!
Credentials
Registry metadata declares no required env vars or credentials, yet SKILL.md and the code read EDGEIQ_EMAIL and EDGEIQ_LICENSE_KEY and a local license file (~/.edgeiq/license.key). The licensing module also treats a specific email (gpalmieri21@gmail.com) as sufficient to grant Pro/Bundle access — this is an undocumented local bypass and an odd, unjustified use of an env var. Requesting or using these env vars should have been declared and justified in metadata.
Persistence & Privilege
The skill does not request always: true and does not appear to modify other skills or system-wide agent settings. It reads a local license file and environment variables but does not request elevated privileges or persistent, autonomous installation. No evidence of persistent background processes or self-enablement beyond being installed as a skill.
What to consider before installing
This skill is inconsistent in important ways: it advertises passive reconnaissance but the code actively resolves hostnames, runs bruteforce resolution, and attempts zone-transfer-like network activity. Metadata says no env vars are required, yet the tool uses EDGEIQ_EMAIL, EDGEIQ_LICENSE_KEY, and ~/.edgeiq/license.key to unlock paid features — the author even hardcodes a specific email that will enable Pro features locally. Before installing or running: (1) review the Python source yourself or in an isolated VM/container to see exactly what network calls it makes; (2) do not set EDGEIQ_EMAIL to someone else's email (it will falsely grant Pro access locally); (3) be aware bruteforce and AXFR checks are active network actions and may be considered intrusive or illegal against domains you don't own — follow the legal notice; (4) ask the publisher for a homepage/source repo and clarification why EDGEIQ_EMAIL and license files are not declared in metadata. If you need passive-only CT scraping, consider using a tool that documents only CT queries and does not perform DNS bruteforce or AXFR attempts.
!
subdomain_hunter.py:216
Potential obfuscated payload detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97664drzz2zby3ph6v7jgq0gh85eg1j
40downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@snipercat69
latest
Download

Subdomain Hunter

Skill Name: subdomain-hunter
Version: 1.0.0
Category: Security / Reconnaissance
Price: Free (basic) / Pro ($19/mo) / Bundle ($39/mo)
Author: EdgeIQ Labs
OpenClaw Compatible: Yes — Python 3, pure stdlib + socket, WSL + Linux

What It Does

Passive subdomain enumeration using Certificate Transparency logs, DNS zone transfer checks, and takeover detection. Reconnaissance-grade discovery without sending active probes.

⚠️ Legal Notice: Only enumerate domains you own or have explicit written permission to audit. Unauthorized recon is illegal.

Features

  • Certificate Transparency enumeration — scrape crt.sh for subdomain history
  • DNS zone transfer check — attempt AXFR with common NS records
  • Takeover detection — identify subdomains pointing to unclaimed/inactive services (CNAME to dead endpoints)
  • Common subdomain bruteforce — lightweight wordlist scan for common subdomains
  • Subdomain resolution — verify discovered subdomains resolve
  • JSON export — structured output for integration

Tier Comparison

FeatureFreePro ($19/mo)Bundle ($39/mo)
CT log enumeration✅ (50 results)✅ (unlimited)✅ (unlimited)
Zone transfer check
Takeover detection
Bruteforce wordlist✅ (500 names)✅ (2000 names)
JSON export
Concurrent resolution✅ (20 threads)✅ (50 threads)

Installation

cp -r /home/guy/.openclaw/workspace/apps/subdomain-hunter ~/.openclaw/skills/subdomain-hunter

Usage

Basic scan (free tier — 50 results)

python3 subdomain_hunter.py --domain example.com

Pro scan (unlimited + takeover detection)

EDGEIQ_EMAIL=your_email@gmail.com python3 subdomain_hunter.py --domain example.com --pro

Full bundle scan (bruteforce + concurrent threads)

EDGEIQ_EMAIL=your_email@gmail.com python3 subdomain_hunter.py --domain example.com --bundle --bruteforce

Export to JSON

python3 subdomain_hunter.py --domain example.com --output results.json

Check for takeovers only

python3 subdomain_hunter.py --domain example.com --takeover-only

As OpenClaw Discord Command

In #edgeiq-support channel:

!subdomain example.com
!subdomain example.com --takeover
!subdomain example.com --bruteforce

Parameters

FlagTypeDefaultDescription
--domainstringTarget domain
--proflagFalseEnable Pro features
--bundleflagFalseEnable Bundle features
--bruteforceflagFalseRun common subdomain wordlist
--takeoverflagFalseRun takeover detection
--takeover-onlyflagFalseOnly run takeover detection
--outputstringWrite JSON report to file
--threadsint20/50Concurrent threads (Pro/Bundle)

Output Example

=== Subdomain Hunter ===
example.com
  CT Entries:    47
  Resolved:      31
  Dead:          5
  Takeovers:     2 🔴

  Discovered subdomains:
    api.example.com         ✅ resolves → 1.2.3.4
    staging.example.com    ✅ resolves → 1.2.3.5
    dev.example.com         ❌ DEAD (CNAME to Heroku)
    old.example.com         🔴 TAKEOVER (no CNAME, 404)
    blog.example.com        ✅ resolves → 1.2.3.6

  Zone Transfer:  BLOCKED
  Threat Level:  MEDIUM

Pro Upgrade

Unlimited CT results, takeover detection, bruteforce wordlist, and JSON export:

👉 Upgrade to Pro — $19/mo

Support

Open a ticket in #edgeiq-support or email gpalmieri21@gmail.com

Comments

Loading comments...