← Back to Skills Marketplace
iahmadzain

Domainion Ops

by iAhmadZain · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
371
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install domainion-ops
Description
Domain and DNS operations across name.com (default), GoDaddy, and Namecheap. Use for registering domains, flipping nameservers, managing DNS records (A, AAAA...
README (SKILL.md)

Domainion Ops

Multi-provider domain and DNS management. Default provider: name.com.

Provider Selection

Provider When to use Reference
name.com (default) Unless user specifies otherwise references/name-com.md
GoDaddy User says "GoDaddy" or has GoDaddy account references/godaddy.md
Namecheap User says "Namecheap" or has Namecheap account references/namecheap.md

Read only the relevant provider reference. Do not load all three.

Credentials Setup

Before any operation, verify credentials exist. Store in env or ~/.domainion:

# name.com (default)
NAMECOM_USERNAME=your_username
NAMECOM_TOKEN=your_api_token      # name.com > Account > API Settings

# GoDaddy
GODADDY_API_KEY=your_key
GODADDY_API_SECRET=your_secret   # developer.godaddy.com > API Keys

# Namecheap
NAMECHEAP_USERNAME=your_username
NAMECHEAP_API_KEY=your_api_key   # namecheap.com > Profile > Tools > API Access
NAMECHEAP_CLIENT_IP=your_ip      # Your whitelisted IP

If credentials are missing, prompt the user for the relevant provider's creds before proceeding.

Common Workflows

1. Check domain availability

# name.com (default)
curl -u "$NAMECOM_USERNAME:$NAMECOM_TOKEN" \
  "https://api.name.com/v4/domains:checkAvailability" \
  -d '{"domainNames":["example.com"]}'

→ See provider reference for GoDaddy / Namecheap equivalents.

2. DNS record management (add/update/delete)

Load provider reference for exact API calls. General pattern:

  • List records first to confirm state
  • Add or Update with idempotency check (avoid duplicates)
  • Verify with dig after change

3. Nameserver change

Always confirm registrar before changing NS. Wrong registrar = silent failure. Load provider reference for exact API call.

4. Verify DNS propagation

# Primary check (Cloudflare resolver — fast TTL)
dig +short example.com @1.1.1.1

# Authoritative check
dig +short example.com @8.8.8.8

# Full record check
dig example.com ANY +noall +answer

# HTTP redirect verify
curl -sI https://example.com | grep -i location

5. TTL Strategy

  • Lowering TTL before a change: set to 300 (5 min) at least 1 TTL cycle before
  • After change confirmed: restore to 3600 or higher
  • Never lower TTL after making the change — too late

Guardrails

  • Confirm domain + provider before any destructive action (NS change, record delete)
  • List existing records before adding to avoid duplicates
  • Prefer reversible steps; verify after each change
  • Never expose API tokens/secrets in output
  • For MX changes: always keep at least one valid MX record live during migration
Usage Guidance
What to consider before installing and using this skill: - Source verification: The skill has no homepage and an unknown source. Prefer skills from known authors or with a verifiable homepage. - Metadata mismatch: The registry declares no required env vars or binaries, but SKILL.md expects multiple API keys and CLI tools (curl, dig, xmllint, python3, grep). Confirm with the publisher or platform how secrets and required system tools are handled before use. - Secrets handling: SKILL.md suggests storing provider API keys in environment variables or in ~/.domainion (a plaintext file). Do not store long-lived credentials in plaintext if you can avoid it — use your platform's secret storage, short-lived or least-privilege API keys, or sandbox/test accounts. Only provide keys at the moment of an interactive operation if possible. - Namecheap IP whitelist: Namecheap requires a whitelisted client IP. The skill suggests using ifconfig.me to detect your IP — that makes an external request and reveals your public IP to that service. If you must use Namecheap, prefer a controlled method to determine IP (your corporate NAT address, an internal check) rather than a public probe. - Required tools: The skill's examples depend on command-line tools (curl, dig, grep, xmllint, python3). Ensure your agent runtime/environment has those tools and understand that the agent may execute network-facing commands. - Minimizing blast radius: Create and use limited-scope API keys where possible (sandbox/test keys, readonly keys for checks). Avoid giving full account keys unless absolutely needed (e.g., purchases). Monitor and revoke keys after use if feasible. - Supervision and prompts: The skill's instructions say to prompt for creds if missing. Prefer interactive invocation only (do not enable automatic/autonomous invocation for this skill) and confirm destructive actions (nameserver changes, full zone replaces) each time. - Questions to ask the publisher/platform before installing: Why metadata omits required env vars and binaries? Will the platform treat the listed provider env names as secrets and encrypt/store them? Can the skill be limited to interactive invocation only? Is there an official maintainer or homepage for support? Given the coherence of the API examples but the metadata mismatches and weak secret-storage guidance, proceed only after clarifying the above points, using limited/sandbox credentials, and avoiding storing secrets in plaintext.
Capability Analysis
Type: OpenClaw Skill Name: domainion-ops Version: 1.0.0 The skill is designed for high-privilege domain and DNS operations, which inherently carries significant risk. While the instructions include good security guardrails (e.g., 'Never expose API tokens/secrets in output', warnings about destructive actions), the `references/namecheap.md` file includes `python3 -c` commands for XML parsing. This pattern, while used for a legitimate purpose (parsing API responses), introduces a potential shell injection vulnerability (RCE risk) if the input to `python -c` were to be maliciously crafted or if unsanitized user input were passed into the command string by the agent. There is no evidence of intentional malicious behavior, but the presence of this vulnerability and the broad, powerful capabilities classify it as suspicious.
Capability Assessment
Purpose & Capability
The skill's name and description (multi-registrar domain/DNS operations) align with the documented API calls in the reference files — the curl examples and API flows are consistent with name.com, GoDaddy, and Namecheap functionality. However, the registry metadata declares no required environment variables or binaries while the SKILL.md clearly expects multiple provider API credentials and use of CLI tools (curl, dig, grep, xmllint, python3). This metadata/instruction mismatch is unexpected and should be clarified.
Instruction Scope
The SKILL.md explicitly instructs the agent to verify credentials in environment variables or in ~/.domainion and to prompt the user if credentials are missing; it also contains many shell command examples (curl, dig, xmllint, python3, grep). Because the skill is instruction-only, those commands would be executed by the agent runtime environment — yet the registry does not declare those binaries. The instructions also recommend using ifconfig.me to detect client IP for Namecheap (this leaks your IP to an external service) and advise storing credentials in a file in the home directory (~/.domainion), which is a persistence and secrecy concern. The guide's guardrails (don't print tokens) are good, but the instructions give broad discretion to read environment/home files and run network commands, which increases risk if the skill is invoked without user supervision.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. That lowers risk from arbitrary code installs because nothing will be pulled or executed on disk by an installer. The security surface is entirely the runtime instructions the agent will follow.
Credentials
Although the registry lists no required env vars, the SKILL.md requires multiple provider credentials (NAMECOM_USERNAME, NAMECOM_TOKEN, GODADDY_API_KEY, GODADDY_API_SECRET, NAMECHEAP_USERNAME, NAMECHEAP_API_KEY, NAMECHEAP_CLIENT_IP) and suggests storing them in env or ~/.domainion. Requesting those provider keys is proportional to domain management, but the omission from declared requirements is an incoherence. Also requesting NAMECHEAP_CLIENT_IP (and suggesting discovery via ifconfig.me) exposes your public IP to a third-party service — reasonable for Namecheap's IP-whitelist workflow but should be called out explicitly in metadata. Overall, secrets handling guidance is weak (plaintext file) and the platform metadata should list the envs so users and the agent platform can apply secret protections.
Persistence & Privilege
always is false (good) and disable-model-invocation is default (agent may call it autonomously). The SKILL.md suggests storing credentials in ~/.domainion, which would create persistent local secrets if followed — this is a user-level design choice rather than an encoded install. Because the skill can be invoked by the agent and has instructions to check local env/files for creds, the combination of autonomous invocation + undeclared secrets storage is something to be careful about, though not malicious by itself.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install domainion-ops
  3. After installation, invoke the skill by name or use /domainion-ops
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: domain & DNS ops across name.com (default), GoDaddy, and Namecheap. Covers registration, nameservers, DNS records, redirects, transfers, and DNSSEC.
Metadata
Slug domainion-ops
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Domainion Ops?

Domain and DNS operations across name.com (default), GoDaddy, and Namecheap. Use for registering domains, flipping nameservers, managing DNS records (A, AAAA... It is an AI Agent Skill for Claude Code / OpenClaw, with 371 downloads so far.

How do I install Domainion Ops?

Run "/install domainion-ops" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Domainion Ops free?

Yes, Domainion Ops is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Domainion Ops support?

Domainion Ops is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Domainion Ops?

It is built and maintained by iAhmadZain (@iahmadzain); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments