ClawHub

GoDaddy API

Security checks across malware telemetry and agentic risk

Overview

The skill largely does what it says for GoDaddy, but its MCP server gives an agent direct power to make costly or destructive account changes without built-in approval checks.

Review this skill carefully before installing, especially if you plan to use the MCP server with production GoDaddy credentials. Prefer OTE/test credentials first, avoid storing secrets in shell startup files, do not paste credential debug output into logs or chats, and only connect the MCP server where you have separate human approval or other controls for purchases, deletions, DNS replacement, certificate revocation, and cancellations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly instructs users to append long-lived API credentials to shell startup files, which stores secrets in plaintext on disk and causes them to be loaded into every interactive shell session. This increases the chance of credential exposure through local compromise, backups, dotfile sync, screen sharing, or accidental disclosure of shell configuration files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The troubleshooting example instructs users to echo the full API key and a partial secret to the terminal. Even though the secret is truncated, printing credentials to stdout increases the risk of accidental disclosure through shell history capture, terminal logging, screenshots, shared sessions, CI logs, or support transcripts. In a GoDaddy API skill, these credentials grant access to domain and DNS management, so exposure can enable account misuse or service disruption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The MCP server exposes many high-risk GoDaddy operations such as domain purchase, delete, transfer, contact updates, DNS replacement, certificate revocation, and subscription cancellation directly as callable tools with no confirmation, approval gate, allowlist, or separation between read-only and mutating actions. In an agent context, this is dangerous because an LLM or connected client can trigger irreversible account and infrastructure changes from a single prompt, increasing the chance of accidental misuse, prompt-injection-driven actions, or unauthorized destructive changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This MCP server exposes multiple high-risk state-changing tools such as domain purchase, deletion, transfer, DNS replacement, privacy toggling, certificate revocation, shopper deletion, and subscription cancellation directly to any MCP client request without any built-in confirmation, authorization tiering, policy gating, or dry-run safeguards. In an agent context, a prompt-influenced or mistaken tool call could immediately cause irreversible account and service changes, making the lack of guardrails materially dangerous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal