← Back to Skills Marketplace
Subdomain Hunter
by
snipercat69
· GitHub ↗
· v1.4.0
· MIT-0
99
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install edgeiq-subdomain-hunter
Description
Performs passive subdomain enumeration using CT logs, DNS zone transfer checks, takeover detection, and optional bruteforce without active probing.
README (SKILL.md)
Subdomain Hunter
Skill Name: subdomain-hunter
Version: 1.0.0
Category: Security / Reconnaissance
Price: Lifetime: $39 / Optional Monthly: $7/mo (all Pro features permanently)
Author: EdgeIQ Labs
OpenClaw Compatible: Yes — Python 3, pure stdlib + socket, WSL + Linux
What It Does
Passive subdomain enumeration using Certificate Transparency logs, DNS zone transfer checks, and takeover detection. Reconnaissance-grade discovery without sending active probes.
⚠️ Legal Notice: Only enumerate domains you own or have explicit written permission to audit. Unauthorized recon is illegal.
Features
- Certificate Transparency enumeration — scrape crt.sh for subdomain history
- DNS zone transfer check — attempt AXFR with common NS records
- Takeover detection — identify subdomains pointing to unclaimed/inactive services (CNAME to dead endpoints)
- Common subdomain bruteforce — lightweight wordlist scan for common subdomains
- Subdomain resolution — verify discovered subdomains resolve
- JSON export — structured output for integration
Tier Comparison
| Feature | Free | Pro ($19/mo) | Bundle ($39/mo) |
|---|---|---|---|
| CT log enumeration | ✅ (50 results) | ✅ (unlimited) | ✅ (unlimited) |
| Zone transfer check | ✅ | ✅ | ✅ |
| Takeover detection | — | ✅ | ✅ |
| Bruteforce wordlist | ✅ (2000 names) | ✅ (2000 names) | ✅ (2000 names) |
| JSON export | ✅ | ✅ | ✅ |
| Concurrent resolution | ✅ (50 threads) | ✅ (50 threads) | ✅ (50 threads) |
Installation
cp -r /home/guy/.openclaw/workspace/apps/subdomain-hunter ~/.openclaw/skills/subdomain-hunter
Usage
Basic scan (free tier — 50 results)
python3 subdomain_hunter.py --domain example.com
Pro scan (unlimited + takeover detection)
[email protected] python3 subdomain_hunter.py --domain example.com --pro
Full bundle scan (bruteforce + concurrent threads)
[email protected] python3 subdomain_hunter.py --domain example.com --bundle --bruteforce
Export to JSON
python3 subdomain_hunter.py --domain example.com --output results.json
Check for takeovers only
python3 subdomain_hunter.py --domain example.com --takeover-only
As OpenClaw Discord Command
In #edgeiq-support channel:
!subdomain example.com
!subdomain example.com --takeover
!subdomain example.com --bruteforce
Parameters
| Flag | Type | Default | Description |
|---|---|---|---|
--domain |
string | — | Target domain |
--pro |
flag | False | Enable Pro features |
--bundle |
flag | False | Enable Bundle features |
--bruteforce |
flag | False | Run common subdomain wordlist |
--takeover |
flag | False | Run takeover detection |
--takeover-only |
flag | False | Only run takeover detection |
--output |
string | — | Write JSON report to file |
--threads |
int | 20/50 | Concurrent threads (Pro/Bundle) |
Output Example
=== Subdomain Hunter ===
example.com
CT Entries: 47
Resolved: 31
Dead: 5
Takeovers: 2 🔴
Discovered subdomains:
api.example.com ✅ resolves → 1.2.3.4
staging.example.com ✅ resolves → 1.2.3.5
dev.example.com ❌ DEAD (CNAME to Heroku)
old.example.com 🔴 TAKEOVER (no CNAME, 404)
blog.example.com ✅ resolves → 1.2.3.6
Zone Transfer: BLOCKED
Threat Level: MEDIUM
Pricing
Lifetime License: $39 — your tool forever, all features included permanently.
Optional Monthly: $7/mo — for those who prefer recurring billing (cancel anytime). 👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo 👉 Subscribe Monthly — $7/mo
Pro Upgrade (deprecated)
All features now included in Lifetime purchase.
Support
Open a ticket in #edgeiq-support or email [email protected]
🔗 More from EdgeIQ Labs
edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.
- 🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
- 📸 Screenshot API — URL-to-screenshot API for developers
- 🔔 uptime.check — URL uptime monitoring with alerts
- 🛡️ headers.check — HTTP security headers analyzer
Usage Guidance
This skill contains working code and will perform network activity when run. Before installing or running it:
- Don't trust the 'passive' label: the tool intentionally performs active DNS resolution, AXFR attempts (connecting to port 53), and optional bruteforce. Only run it against domains you own or have explicit written permission to audit.
- Metadata omission: the registry says no env vars are required, but the tool uses EDGEIQ_EMAIL, EDGEIQ_LICENSE_KEY and ~/.edgeiq/license.key for licensing—expect to provide these or to have the tool read your home directory.
- Licensing quirk: the licensing code contains a hardcoded allowance for a specific email address, and license logic reads files in your home directory. Review edgeiq_licensing.py to ensure it matches your expectations and doesn't unintentionally grant or leak access.
- Audit network behavior: the script queries crt.sh (https requests) and performs raw socket connections; if you are in a restrictive environment, run it in an isolated VM or container and inspect network traffic first.
- Verify provenance: source/homepage are missing and README points to an external GitHub user. If you need long-term trust, request a canonical source (repo, author identity) and validate the Stripe/payment links and contact email.
If you are uncertain, do not run this against real targets or production networks; review the code (subdomain_hunter.py and edgeiq_licensing.py) and run in an isolated environment. If the mismatches above worry you, treat this as potentially risky until provenance and env-var behavior are clarified.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description (passive subdomain enumeration) is broadly consistent with the included code (crt.sh queries, DNS checks, takeover detection, bruteforce). However SKILL.md repeatedly claims 'no active probing' while the code: performs DNS resolution, attempts TCP connections to port 53 (zone transfer checks), and can run bruteforce—these are active network actions and contradict the passive claim. Also the SKILL.md and README advise using EDGEIQ_EMAIL / license files for Pro/Bundle, but the registry metadata lists no required env vars—an inconsistency.
Instruction Scope
Runtime instructions (SKILL.md) instruct users to run the included Python script and to set EDGEIQ_EMAIL for premium features. The doc promises 'passive' recon but the instructions and code enable active checks (AXFR attempts, resolution of many candidate hosts, optional bruteforce). SKILL.md also suggests copying files from a workspace path and using Discord commands, which are operational details outside the skill's declared metadata. The instructions grant the skill discretion to perform network probing beyond purely passive CT scraping.
Install Mechanism
There is no install specification (instruction-only), so nothing will be automatically downloaded/executed during install. The package does include Python files shipped with the skill; that means code will run on invocation but there is no installer that fetches remote archives or binaries. This is lower risk from an install mechanism perspective.
Credentials
Registry metadata says no required env vars, but SKILL.md and the code expect/use EDGEIQ_EMAIL and EDGEIQ_LICENSE_KEY and a license file under ~/.edgeiq/license.key. The licensing module also implicitly grants bundle access for a specific email ([email protected]). Asking for an email/env var and reading a license file in the user's home is reasonable for licensing, but the mismatch with declared metadata and the hardcoded permissive check for a specific email are noteworthy and unexpected.
Persistence & Privilege
The skill does not request 'always' presence and does not include an install script that writes to system-wide locations. It reads/writes a per-user license file (~/.edgeiq/license.key) which is normal for license management. There is no evidence it modifies other skills or global agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install edgeiq-subdomain-hunter - After installation, invoke the skill by name or use
/edgeiq-subdomain-hunter - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.4.0
v1.4.0: URGENT FIX — corrected Stripe Payment Link URLs (no suffixes, correct live URLs)
v1.3.0
v1.3.0: CRITICAL FIX — replaced placeholder Stripe URLs with real working Payment Link checkout URLs
v1.2.0
v1.2.0: Dual pricing — Lifetime as primary purchase option with optional monthly. Updated Stripe checkout URLs.
v1.0.0
Initial release: CT enumeration, zone transfer check, takeover detection, bruteforce wordlist, JSON export.
Metadata
Frequently Asked Questions
What is Subdomain Hunter?
Performs passive subdomain enumeration using CT logs, DNS zone transfer checks, takeover detection, and optional bruteforce without active probing. It is an AI Agent Skill for Claude Code / OpenClaw, with 99 downloads so far.
How do I install Subdomain Hunter?
Run "/install edgeiq-subdomain-hunter" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Subdomain Hunter free?
Yes, Subdomain Hunter is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Subdomain Hunter support?
Subdomain Hunter is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Subdomain Hunter?
It is built and maintained by snipercat69 (@snipercat69); the current version is v1.4.0.
More Skills