ClawHub

Domain WHOIS Lookup

v1.0.7

Look up domain WHOIS information, check email security (DMARC/SPF/DKIM), inspect TLS certificates, and capture website screenshots. Provides a comprehensive,...

0· 136·1 current·1 all-time
byDerek Chan@sxlderek
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The declared skill purpose (WHOIS/DNS/DMARC/SPF/DKIM/TLS + optional screenshots) matches the instructions and included screenshot helper. However, registry metadata lists no required binaries while SKILL.md and references/setup.md expect system tools (whois, dig, openssl). README also claims IDN→Punycode conversion but SKILL.md doesn't specify conversion steps — a documentation/metadata mismatch that should be corrected.
Instruction Scope
Runtime instructions are narrowly scoped to domain analysis: extract/validate domain, run whois/dig/openssl via safe exec, fetch IP country codes via ipinfo.io, check DNS TXT for DMARC/SPF/DKIM, and optionally take a screenshot only when tooling exists. The skill includes specific guards against command injection, path traversal, and timeout requirements.
Install Mechanism
This is an instruction-only skill (no install spec). The only code is an optional Node script that safely skips when Playwright/Chromium are absent. No downloads from external URLs or install steps are included, so install risk is low.
Credentials
The skill requests no credentials and the script only reads an optional DOMAININFO_SCREENSHOT_DEBUG env var. It does, however, rely on external system binaries (whois, dig, openssl) and makes outbound web_fetch calls to ipinfo.io for geolocation. Those external calls are consistent with the stated purpose but are not declared in the registry metadata — this mismatch should be fixed. No secret exfiltration mechanisms are present.
Persistence & Privilege
The skill does not request always:true, does not require persistent system-wide changes, and contains no code that modifies other skills or global agent configuration. Optional screenshot files are written only under the skill directory with path checks in place.
Assessment
This skill appears coherent and not malicious, but check these before installing: (1) Ensure the runtime provides the required system binaries (whois, dig, openssl) if you want full functionality — the registry metadata currently omits them. (2) The skill will make outbound requests to ipinfo.io for IP geolocation (no credentials required); if you want to avoid external calls, don't enable the skill. (3) Screenshots are optional and only attempted when browser tooling or Node+Playwright+Chromium are already present; the included script safely skips if those are missing. (4) There's a minor mismatch about IDN/Punycode handling in the README vs SKILL.md — if you rely on internationalized domains, ask the author to clarify how conversion is performed. If any of these behaviors are unacceptable, don't install or ask the publisher to correct the metadata/instructions first.

Like a lobster shell, security has layers — review code before you run it.

latestvk972q2nsn7cmnf337963qq2njh83ekh1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments