ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

dotld

v1.0.1

Search domain name availability and registration prices. Use when the user mentions domains, TLDs, domain registration, domain availability, or wants to find...

0· 372·0 current·0 all-time
by@tedstonne
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binary (dotld), and required environment variable (DYNADOT_API_PRODUCTION_KEY) align: a Dynadot API key is expected for live availability/pricing queries and the CLI is the tool the skill runs.
!
Instruction Scope
SKILL.md stays within the domain-focused scope (lookups, keyword expansion, JSON output). However it explicitly instructs users to install the tool by piping a remote script to bash (curl -fsSL https://raw.githubusercontent.com/tedstonne/dotld/main/scripts/install.sh | bash), which expands the runtime actions beyond just using the CLI and introduces execution of remote code.
!
Install Mechanism
There is no formal install spec in the registry metadata, but the README recommends downloading and executing a script directly from raw.githubusercontent.com via a curl | bash pipeline. While GitHub raw is a common host, piping a remote script to a shell is a high-risk pattern because it executes code fetched at install time without local review.
Credentials
Requesting a single Dynadot production API key is proportionate to the stated purpose. The README also documents auto-saving keys to ~/.config/dotld/config.json with file mode 0644 (world-readable by default on many systems), which raises privacy/secret-storage concerns — the skill will persist the credential in plaintext unless the user avoids using --dynadot-key or changes permissions.
Persistence & Privilege
The skill does not request always:true or system-wide privileges. It does create and write its own config file under the user's home (~/.config/dotld/config.json) when a key is provided via --dynadot-key. Writing its own config is normal, but users should be aware the key may be persisted automatically.
What to consider before installing
This skill appears to do what it says (domain availability/pricing via Dynadot) but includes two practical risks you should weigh before installing: (1) the SKILL.md suggests installing dotld by piping a remote install script to bash — avoid running that blindly; instead inspect the install script first or install the binary from a trusted, reproducible source or package. (2) the CLI auto-saves any key passed via --dynadot-key to ~/.config/dotld/config.json with mode 0644, which can expose your API key to other local users; prefer setting DYNADOT_API_PRODUCTION_KEY in your environment (and not using --dynadot-key), or after installing, change the config file permissions (e.g., chmod 600) and inspect the config content. Additional precautions: review the referenced install script on GitHub before running it, run the installer in an isolated environment if possible, verify the dotld binary provenance (checksums/signatures if available), and revoke/regenerate your Dynadot key if you later suspect compromise.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cvrmrrztpx47mj7jgjsxrd581ymy3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsdotld
EnvDYNADOT_API_PRODUCTION_KEY
Primary envDYNADOT_API_PRODUCTION_KEY

Comments