← Back to Skills Marketplace
754
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install namecheap-dns
Description
Manage Namecheap DNS records safely by fetching existing entries, merging changes, auto-backing up, previewing diffs, dry-running, and rolling back updates.
Usage Guidance
This skill appears to implement a legitimate Namecheap DNS helper, but the metadata published with the skill is incomplete. Before installing or running it: (1) expect to set NAMECHEAP_API_KEY, NAMECHEAP_USERNAME, and NAMECHEAP_API_USER in your environment — the script will exit without them; (2) ensure the host has 'dig' (the script calls dig via execSync) and you understand npm install will pull dependencies into the skill folder; (3) Namecheap requires your client IP to be whitelisted — the script queries https://ifconfig.me/ip to obtain your IP and sends it to the API; (4) backups are written to disk (default skill/backups or configurable via NAMECHEAP_BACKUP_DIR) so verify the storage location and permissions; (5) review package.json/package-lock.json (axios and common deps) and audit/install in a controlled environment if you don't trust the source. The primary issue is inconsistency between what the skill actually requires and what the registry metadata declares — if you intend to use it, request the publisher correct the metadata or confirm the required env vars and the need for 'dig' before proceeding.
Capability Analysis
Type: OpenClaw Skill
Name: namecheap-dns
Version: 1.1.0
The skill's stated purpose and overall design are benign, aiming to provide a safer wrapper for Namecheap DNS management. However, the `namecheap-dns.js` script contains a shell injection vulnerability. User-controlled inputs (`fullDomain` and `sub`) are directly interpolated into `execSync` calls for the `dig` command (e.g., `execSync(`dig +short ${fullDomain} ${type}`)`). This lack of input sanitization could allow an attacker to execute arbitrary commands if they can control the domain argument, making it a critical vulnerability, but not evidence of intentional malicious behavior.
Capability Assessment
Purpose & Capability
The skill's stated purpose (managing Namecheap DNS) legitimately requires Namecheap API credentials and network access to Namecheap; the code indeed requires NAMECHEAP_API_KEY, NAMECHEAP_USERNAME and NAMECHEAP_API_USER. However the registry metadata declares no required environment variables or primary credential — that's an inconsistency that could mislead users about what secrets are needed. Additionally the code runs system 'dig' commands but the declared required binaries only list node and npm, not dig.
Instruction Scope
SKILL.md instructs the user to run npm install and set NAMECHEAP_* env vars, and the script performs network calls (Namecheap API and https://ifconfig.me/ip) and executes system 'dig' via execSync to enumerate live DNS. Those actions are within the DNS-management purpose, but they reference system binaries (dig) and an external IP service that are not reflected in the registry metadata. The script also writes backup files to disk (defaulting to a backups directory under the skill) and will abort if required env vars are missing.
Install Mechanism
There is no automated install spec in the registry (instruction-only), but the package.json and package-lock.json are included and SKILL.md tells users to run npm install in the skill directory. That is a reasonable manual install approach, but users should be aware that running npm install will write node_modules to disk and pull third-party packages (axios and its dependencies).
Credentials
The code requires NAMECHEAP_API_KEY, NAMECHEAP_USERNAME, and NAMECHEAP_API_USER (and optionally NAMECHEAP_BACKUP_DIR and DEBUG) — but the registry metadata lists no required env vars or primary credential. Requesting API keys is proportionate to the stated purpose, but the missing declaration is an important mismatch. The script also retrieves the public IP from ifconfig.me (to send to Namecheap for whitelisting).
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes backups to its own backup directory (default relative to the skill or configurable via NAMECHEAP_BACKUP_DIR). It uses execSync to run dig but that is local execution within the skill's scope. Autonomous invocation is allowed (platform default) but is not combined here with other high-risk flags.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install namecheap-dns - After installation, invoke the skill by name or use
/namecheap-dns - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Added verify command for ghost record detection, automatic safety checks before destructive operations, DNS snapshots in backups, configurable backup directory
v1.0.0
Initial release: safe DNS record management with fetch-merge-write, dry-run, auto-backups, rollback
Metadata
Frequently Asked Questions
What is Namecheap DNS?
Manage Namecheap DNS records safely by fetching existing entries, merging changes, auto-backing up, previewing diffs, dry-running, and rolling back updates. It is an AI Agent Skill for Claude Code / OpenClaw, with 754 downloads so far.
How do I install Namecheap DNS?
Run "/install namecheap-dns" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Namecheap DNS free?
Yes, Namecheap DNS is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Namecheap DNS support?
Namecheap DNS is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Namecheap DNS?
It is built and maintained by jarekbird (@jarekbird); the current version is v1.1.0.
More Skills