Buy Domain Helper
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The helper mostly matches its Cloudflare hosting purpose, but it requests an unrelated token and runs unpinned or unsafe commands that users should review before use.
Only use this skill if you are comfortable giving it narrowly scoped Cloudflare permissions. Avoid pasting long-lived tokens into commands or chat, review the domain and DNS changes before running them, and treat the current version as needing fixes for the unrelated NETA_TOKEN requirement, unpinned npx execution, and unsafe wrangler shell command.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted project name or path could cause unintended local shell commands to run, with Cloudflare token and account values present in the environment.
dir and projectName come from user-controlled CLI arguments and are interpolated into a shell command rather than passed as a safe argument array.
execSync(`wrangler pages deploy "${dir}" --project-name "${projectName}" --branch main 2>&1`, { env })Replace execSync shell strings with spawn/execFile argument arrays, validate project names and paths, and avoid invoking a shell for user-controlled values.
Running a static-directory tunnel may download and execute whatever npm currently resolves for the serve package, adding supply-chain risk.
The tunnel workflow automatically runs an unpinned npm package through npx -y, and that dependency is not clearly declared or version-pinned in the skill metadata.
const serveProc = spawn('npx', ['-y', 'serve', target, '-p', '8080', '-s'], { stdio: 'ignore' });Declare and pin the dependency, vendor or verify the helper used to serve files, or ask for explicit user confirmation before running unpinned remote packages.
Users may be asked to provide an unnecessary third-party API token unrelated to buying domains or deploying Cloudflare Pages.
The stated skill purpose and code are Cloudflare-focused, but package metadata declares a required Neta AI token that is unrelated to the documented workflow.
"name": "NETA_TOKEN", "description": "Neta AI API token. Get it at https://www.neta.art/open/", "required": true
Remove the NETA_TOKEN requirement unless it is truly needed and fully documented; keep credential declarations aligned with the actual Cloudflare-only workflow.
Tokens passed on the command line can be saved in shell history or visible to local process-inspection tools while the command runs.
Cloudflare tokens are expected for this integration, but the documented examples pass them through command-line arguments.
node site.js deploy my-site ./my-site --token <PAGES_TOKEN> --account <ACCOUNT_ID>
Prefer environment variables, a secret manager, or the platform’s secure credential mechanism; use narrowly scoped tokens and revoke them after use if possible.
A wrong zone ID or project name could point the root domain at the wrong Pages project or disrupt existing DNS expectations.
The helper can make persistent DNS changes in a Cloudflare zone; this is aligned with the custom-domain feature but is high-impact account mutation.
await api('POST', `/zones/${zoneId}/dns_records`, { type: 'CNAME', name: '@', content: `${projectName}.pages.dev`, proxied: true })Confirm the domain, zone ID, project name, and existing DNS records before running DNS-linking commands, and use a DNS token scoped only to the intended zone.