ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cloudflare Dns Updater

v0.1.1

Creates or updates a proxied Cloudflare DNS A record. Use when you need to programmatically point a subdomain to an IP address. Takes record name, zone name, and IP address as input.

0· 1.6k·6 current·6 all-time
by@xieyuanqing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the included Python script: behavior is to create/update Cloudflare A records. Requiring python3 and the requests library is appropriate. However, the registry metadata lists no required environment variables or primary credential, while the SKILL.md and script explicitly require CLOUDFLARE_API_TOKEN; this metadata omission is inconsistent and worth flagging.
Instruction Scope
SKILL.md confines actions to: check for CLOUDFLARE_API_TOKEN, collect zone/record/IP, optionally fetch the host's public IP via https://ipv4.icanhazip.com/, and run the included script. There is no instruction to read unrelated files or exfiltrate data to unexpected endpoints. The external call to icanhazip is reasonable for discovering a public IP but is an external network operation the user should be aware of.
Install Mechanism
This is an instruction-only skill with a bundled Python script and a small requirements.txt (requests). No network downloads or archive extraction during install are required, which is low risk.
!
Credentials
The script and SKILL.md require CLOUDFLARE_API_TOKEN (a sensitive credential) but the registry metadata does not declare it as a required env var or primary credential. That mismatch is concerning because automated tooling or users may not realize a secret must be supplied. The requested token is proportionate for DNS edits, but you should confirm the token's permissions (use least privilege / zone-scoped token).
Persistence & Privilege
The skill does not request always: true, does not modify other skills or system-wide settings, and is user-invocable. It requires only runtime invocation to execute the script.
What to consider before installing
This skill's code and documentation implement a normal Cloudflare DNS updater, but the registry metadata omitted the required CLOUDFLARE_API_TOKEN. Before installing or using it: 1) Confirm you can provide a CLOUDFLARE_API_TOKEN (set it in the environment) and verify the token is scoped with the minimum permissions (prefer zone-scoped DNS edit rights rather than a full account token). 2) Understand the agent will make outbound requests to Cloudflare and (optionally) to https://ipv4.icanhazip.com/ to detect public IP — run it in a network environment where those calls are acceptable. 3) Review the included script yourself (it is short and readable) and consider rotating the token after testing. 4) If you rely on registry metadata for automated policy enforcement, update it to declare CLOUDFLARE_API_TOKEN so the requirement isn't missed. If you cannot provide a properly-scoped token or cannot accept outbound network calls, do not enable the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk978qj40vfes867qn9zj26x2rs80mfbt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments