← 返回 Skills 市场
Domainion Ops
作者
iAhmadZain
· GitHub ↗
· v1.0.0
371
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install domainion-ops
功能描述
Domain and DNS operations across name.com (default), GoDaddy, and Namecheap. Use for registering domains, flipping nameservers, managing DNS records (A, AAAA...
使用说明 (SKILL.md)
Domainion Ops
Multi-provider domain and DNS management. Default provider: name.com.
Provider Selection
| Provider | When to use | Reference |
|---|---|---|
| name.com (default) | Unless user specifies otherwise | references/name-com.md |
| GoDaddy | User says "GoDaddy" or has GoDaddy account | references/godaddy.md |
| Namecheap | User says "Namecheap" or has Namecheap account | references/namecheap.md |
Read only the relevant provider reference. Do not load all three.
Credentials Setup
Before any operation, verify credentials exist. Store in env or ~/.domainion:
# name.com (default)
NAMECOM_USERNAME=your_username
NAMECOM_TOKEN=your_api_token # name.com > Account > API Settings
# GoDaddy
GODADDY_API_KEY=your_key
GODADDY_API_SECRET=your_secret # developer.godaddy.com > API Keys
# Namecheap
NAMECHEAP_USERNAME=your_username
NAMECHEAP_API_KEY=your_api_key # namecheap.com > Profile > Tools > API Access
NAMECHEAP_CLIENT_IP=your_ip # Your whitelisted IP
If credentials are missing, prompt the user for the relevant provider's creds before proceeding.
Common Workflows
1. Check domain availability
# name.com (default)
curl -u "$NAMECOM_USERNAME:$NAMECOM_TOKEN" \
"https://api.name.com/v4/domains:checkAvailability" \
-d '{"domainNames":["example.com"]}'
→ See provider reference for GoDaddy / Namecheap equivalents.
2. DNS record management (add/update/delete)
Load provider reference for exact API calls. General pattern:
- List records first to confirm state
- Add or Update with idempotency check (avoid duplicates)
- Verify with
digafter change
3. Nameserver change
Always confirm registrar before changing NS. Wrong registrar = silent failure. Load provider reference for exact API call.
4. Verify DNS propagation
# Primary check (Cloudflare resolver — fast TTL)
dig +short example.com @1.1.1.1
# Authoritative check
dig +short example.com @8.8.8.8
# Full record check
dig example.com ANY +noall +answer
# HTTP redirect verify
curl -sI https://example.com | grep -i location
5. TTL Strategy
- Lowering TTL before a change: set to 300 (5 min) at least 1 TTL cycle before
- After change confirmed: restore to 3600 or higher
- Never lower TTL after making the change — too late
Guardrails
- Confirm domain + provider before any destructive action (NS change, record delete)
- List existing records before adding to avoid duplicates
- Prefer reversible steps; verify after each change
- Never expose API tokens/secrets in output
- For MX changes: always keep at least one valid MX record live during migration
安全使用建议
What to consider before installing and using this skill:
- Source verification: The skill has no homepage and an unknown source. Prefer skills from known authors or with a verifiable homepage.
- Metadata mismatch: The registry declares no required env vars or binaries, but SKILL.md expects multiple API keys and CLI tools (curl, dig, xmllint, python3, grep). Confirm with the publisher or platform how secrets and required system tools are handled before use.
- Secrets handling: SKILL.md suggests storing provider API keys in environment variables or in ~/.domainion (a plaintext file). Do not store long-lived credentials in plaintext if you can avoid it — use your platform's secret storage, short-lived or least-privilege API keys, or sandbox/test accounts. Only provide keys at the moment of an interactive operation if possible.
- Namecheap IP whitelist: Namecheap requires a whitelisted client IP. The skill suggests using ifconfig.me to detect your IP — that makes an external request and reveals your public IP to that service. If you must use Namecheap, prefer a controlled method to determine IP (your corporate NAT address, an internal check) rather than a public probe.
- Required tools: The skill's examples depend on command-line tools (curl, dig, grep, xmllint, python3). Ensure your agent runtime/environment has those tools and understand that the agent may execute network-facing commands.
- Minimizing blast radius: Create and use limited-scope API keys where possible (sandbox/test keys, readonly keys for checks). Avoid giving full account keys unless absolutely needed (e.g., purchases). Monitor and revoke keys after use if feasible.
- Supervision and prompts: The skill's instructions say to prompt for creds if missing. Prefer interactive invocation only (do not enable automatic/autonomous invocation for this skill) and confirm destructive actions (nameserver changes, full zone replaces) each time.
- Questions to ask the publisher/platform before installing: Why metadata omits required env vars and binaries? Will the platform treat the listed provider env names as secrets and encrypt/store them? Can the skill be limited to interactive invocation only? Is there an official maintainer or homepage for support?
Given the coherence of the API examples but the metadata mismatches and weak secret-storage guidance, proceed only after clarifying the above points, using limited/sandbox credentials, and avoiding storing secrets in plaintext.
功能分析
Type: OpenClaw Skill
Name: domainion-ops
Version: 1.0.0
The skill is designed for high-privilege domain and DNS operations, which inherently carries significant risk. While the instructions include good security guardrails (e.g., 'Never expose API tokens/secrets in output', warnings about destructive actions), the `references/namecheap.md` file includes `python3 -c` commands for XML parsing. This pattern, while used for a legitimate purpose (parsing API responses), introduces a potential shell injection vulnerability (RCE risk) if the input to `python -c` were to be maliciously crafted or if unsanitized user input were passed into the command string by the agent. There is no evidence of intentional malicious behavior, but the presence of this vulnerability and the broad, powerful capabilities classify it as suspicious.
能力评估
Purpose & Capability
The skill's name and description (multi-registrar domain/DNS operations) align with the documented API calls in the reference files — the curl examples and API flows are consistent with name.com, GoDaddy, and Namecheap functionality. However, the registry metadata declares no required environment variables or binaries while the SKILL.md clearly expects multiple provider API credentials and use of CLI tools (curl, dig, grep, xmllint, python3). This metadata/instruction mismatch is unexpected and should be clarified.
Instruction Scope
The SKILL.md explicitly instructs the agent to verify credentials in environment variables or in ~/.domainion and to prompt the user if credentials are missing; it also contains many shell command examples (curl, dig, xmllint, python3, grep). Because the skill is instruction-only, those commands would be executed by the agent runtime environment — yet the registry does not declare those binaries. The instructions also recommend using ifconfig.me to detect client IP for Namecheap (this leaks your IP to an external service) and advise storing credentials in a file in the home directory (~/.domainion), which is a persistence and secrecy concern. The guide's guardrails (don't print tokens) are good, but the instructions give broad discretion to read environment/home files and run network commands, which increases risk if the skill is invoked without user supervision.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. That lowers risk from arbitrary code installs because nothing will be pulled or executed on disk by an installer. The security surface is entirely the runtime instructions the agent will follow.
Credentials
Although the registry lists no required env vars, the SKILL.md requires multiple provider credentials (NAMECOM_USERNAME, NAMECOM_TOKEN, GODADDY_API_KEY, GODADDY_API_SECRET, NAMECHEAP_USERNAME, NAMECHEAP_API_KEY, NAMECHEAP_CLIENT_IP) and suggests storing them in env or ~/.domainion. Requesting those provider keys is proportional to domain management, but the omission from declared requirements is an incoherence. Also requesting NAMECHEAP_CLIENT_IP (and suggesting discovery via ifconfig.me) exposes your public IP to a third-party service — reasonable for Namecheap's IP-whitelist workflow but should be called out explicitly in metadata. Overall, secrets handling guidance is weak (plaintext file) and the platform metadata should list the envs so users and the agent platform can apply secret protections.
Persistence & Privilege
always is false (good) and disable-model-invocation is default (agent may call it autonomously). The SKILL.md suggests storing credentials in ~/.domainion, which would create persistent local secrets if followed — this is a user-level design choice rather than an encoded install. Because the skill can be invoked by the agent and has instructions to check local env/files for creds, the combination of autonomous invocation + undeclared secrets storage is something to be careful about, though not malicious by itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install domainion-ops - 安装完成后,直接呼叫该 Skill 的名称或使用
/domainion-ops触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: domain & DNS ops across name.com (default), GoDaddy, and Namecheap. Covers registration, nameservers, DNS records, redirects, transfers, and DNSSEC.
元数据
常见问题
Domainion Ops 是什么?
Domain and DNS operations across name.com (default), GoDaddy, and Namecheap. Use for registering domains, flipping nameservers, managing DNS records (A, AAAA... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 371 次。
如何安装 Domainion Ops?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install domainion-ops」即可一键安装,无需额外配置。
Domainion Ops 是免费的吗?
是的,Domainion Ops 完全免费(开源免费),可自由下载、安装和使用。
Domainion Ops 支持哪些平台?
Domainion Ops 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Domainion Ops?
由 iAhmadZain(@iahmadzain)开发并维护,当前版本 v1.0.0。
推荐 Skills