Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GoDaddy API
v1.1.0Complete GoDaddy API skill with shell scripts + MCP server for domains, DNS, certificates, shoppers, subscriptions, agreements, countries, and aftermarket li...
⭐ 2· 694·0 current·0 all-time
byAndrew@solarx56
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the included scripts and MCP server: everything is focused on GoDaddy domains, DNS, certs, shoppers, subscriptions, agreements and aftermarket. Required binaries (bash, curl, jq, node, npm) are appropriate for the provided shell scripts and Node MCP server. However the skill registry metadata declares no required environment variables or primary credential while the SKILL.md and all scripts require GODADDY_API_BASE_URL, GODADDY_API_KEY, and GODADDY_API_SECRET — a clear mismatch between claimed metadata and actual runtime needs.
Instruction Scope
SKILL.md and the shell scripts limit actions to GoDaddy API calls and include confirmation prompts for destructive/financial actions. Instructions recommend testing in OTE and not logging secrets. The only out-of-band operation is recommending appending export lines to ~/.bashrc or ~/.zshrc to persist credentials (documented), which writes to a user config file but is within the expected scope for CLI tools.
Install Mechanism
There is no platform install spec — the skill is instruction- and code-file-based. The MCP server requires running npm install/build (package.json and package-lock.json included), which will pull dependencies from the public npm registry. There are no downloads from arbitrary URLs or extract-from-URL steps, but running npm install will fetch third-party packages (normal but moderate risk if you don't review dependencies).
Credentials
The runtime requires three sensitive environment variables (GODADDY_API_BASE_URL, GODADDY_API_KEY, GODADDY_API_SECRET) that are used everywhere (shell scripts and MCP server). The registry entry incorrectly lists no required env vars or primary credential — this is a material metadata inconsistency. The SKILL.md also suggests echoing secrets into ~/.zshrc/ ~/.bashrc for persistence, which increases the risk of long-lived secret exposure if users follow it blindly.
Persistence & Privilege
The skill does not request always:true and does not attempt to change other skills or system-wide agent settings. It does, however, instruct the user how to persist credentials into shell startup files and runs a local MCP server (node dist/index.js) which, if started, will hold credentials in its environment. These behaviors are expected for a local API client but mean you should avoid running the MCP server on an exposed machine or persisting secrets insecurely.
What to consider before installing
This skill appears to be a functional GoDaddy client, but the registry metadata does not declare the API credentials the code needs — treat that as a red flag. Before installing or running: (1) do not paste production API_KEY/SECRET into random shells; prefer testing in the OTE URL; (2) avoid blindly appending exports to ~/.zshrc/ ~/.bashrc — instead use a secure secrets store, an env file with restricted permissions, or temporarily export in a session; (3) review package.json/package-lock and run npm install in an isolated environment (or scan dependencies) before starting the MCP server; (4) ensure the local MCP server is not exposed to untrusted networks; (5) if you need to proceed, confirm the skill author/source and update registry metadata to list the required env vars/primary credential so the permissions are transparent.Like a lobster shell, security has layers — review code before you run it.
latestvk97fpf556k8077b96npx45vrnh81fssh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌐 Clawdis
Binsbash, curl, jq, node, npm