ClawHub

dotld

Security checks across malware telemetry and agentic risk

Overview

This domain-search skill does what it says, but users should review it because its installer runs mutable remote code and its CLI can persist a production Dynadot API key insecurely.

Install only after reviewing or pinning the upstream installer and binary. Prefer setting DYNADOT_API_PRODUCTION_KEY in your environment instead of passing --dynadot-key, and if the config file is created, restrict it to owner-only permissions such as 0600.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installation instructions tell users to pipe a remotely fetched script directly into bash, which executes unreviewed code from the network with no integrity verification or inspection step. If the upstream GitHub content, repository, branch, or delivery path is compromised, users could execute arbitrary code on their machine while trying to install the tool.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill states that `--dynadot-key <key>` auto-saves the API key to local config, but it does not warn about the security implications of placing secrets on the command line or persisting them to disk. Command-line secrets may be exposed via shell history, process listings, logs, or backups, and silent persistence increases the chance of unintended credential disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Automatically persisting a secret provided on the command line can surprise users and cause long-lived credential exposure beyond the immediate operation they intended. In an agent skill context, this is more dangerous because a one-time invocation may silently leave reusable API credentials on disk, increasing the blast radius if the host or home directory is later accessed by another process or user.

Missing User Warnings

High
Confidence
98% confidence
Finding
Storing an API key in a config file with 0644 permissions makes it readable by other local users on multi-user systems, directly exposing a reusable credential. In this skill's context, the risk is heightened because the tool explicitly persists the Dynadot API key, so the insecure permission choice turns ordinary use into credential leakage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal