Email Url Validator
v1.0.2Validate email addresses and URLs with real network checks (DNS MX, DNSBL, disposable domain detection, HTTP reachability, redirect chain tracing). Use whene...
⭐ 1· 54·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description claim live DNS/HTTP checks. The SKILL.md instructs the agent to call a hosted API that performs those checks; the agent-side footprint is minimal (no env vars, no binaries). Server-side env vars listed are clearly for self-hosting the service (Nevermined plan keys), which is appropriate and expected.
Instruction Scope
Instructions are explicit about the x402 payment handshake, consent gate (confirmed=false default), human-assisted vs autonomous modes, and handling bulk/sensitive uploads. The main scope concern for users is privacy: emails/URLs sent to the operator's hosted endpoint (deep-validator-production.up.railway.app) are transmitted off-agent. The SKILL.md does document consent and billing behavior, which mitigates but does not eliminate privacy/exfiltration risk.
Install Mechanism
Instruction-only skill with no install spec and no code executed on the agent. This is low-risk from an install/execution perspective.
Credentials
The skill declares no agent-side env vars (correct for a hosted API). The manifest and README list server-side env vars (NVM_API_KEY, NVM_PLAN_ID_*) for operators who self-host — these are appropriate for billing/payment on the service side. One optional server var (DEEP_VALIDATOR_API_KEY) would allow operator bypass of the x402 flow if set; that is a normal admin convenience but increases trust requirements for whoever runs the server.
Persistence & Privilege
always:false and no install means the skill does not persist or force inclusion. Autonomous invocation is allowed (platform default); combined with the documented automatic payment flow, this means an agent with wallet access could pay for validations if configured to send confirmed=true — the skill documents and warns about that. This behavior is coherent but requires the user to manage wallet/consent policies.
Assessment
This skill appears to do exactly what it says: call a hosted API that performs real DNS/HTTP checks and charges tiny credits via the x402 protocol. Before installing or invoking it, consider: (1) Privacy — emails/URLs you validate will be sent to the operator's hosted service (check the operator identity and hosting URL). (2) Billing/autonomy — the agent can pay using a Nevermined wallet if you or your agent sends confirmed=true or if autonomous mode is allowed; only enable automated billing where you explicitly trust and authorize it. (3) Self-hosting — if you cannot trust the hosted operator, you can self-host, but you must securely provision the server env vars (NVM_API_KEY, plan IDs) and beware of the optional DEEP_VALIDATOR_API_KEY which bypasses payment. (4) For bulk or sensitive lists, follow the SKILL.md advice: always use the human-assisted consent flow. If you need more assurance, verify the operator's repo/hosted URL and consider running the service under your control.Like a lobster shell, security has layers — review code before you run it.
latestvk9752hqqfb66qx565w6q0976m5841a79
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis