← 返回 Skills 市场
Subdomain Hunter
作者
snipercat69
· GitHub ↗
· v1.4.0
· MIT-0
99
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install edgeiq-subdomain-hunter
功能描述
Performs passive subdomain enumeration using CT logs, DNS zone transfer checks, takeover detection, and optional bruteforce without active probing.
使用说明 (SKILL.md)
Subdomain Hunter
Skill Name: subdomain-hunter
Version: 1.0.0
Category: Security / Reconnaissance
Price: Lifetime: $39 / Optional Monthly: $7/mo (all Pro features permanently)
Author: EdgeIQ Labs
OpenClaw Compatible: Yes — Python 3, pure stdlib + socket, WSL + Linux
What It Does
Passive subdomain enumeration using Certificate Transparency logs, DNS zone transfer checks, and takeover detection. Reconnaissance-grade discovery without sending active probes.
⚠️ Legal Notice: Only enumerate domains you own or have explicit written permission to audit. Unauthorized recon is illegal.
Features
- Certificate Transparency enumeration — scrape crt.sh for subdomain history
- DNS zone transfer check — attempt AXFR with common NS records
- Takeover detection — identify subdomains pointing to unclaimed/inactive services (CNAME to dead endpoints)
- Common subdomain bruteforce — lightweight wordlist scan for common subdomains
- Subdomain resolution — verify discovered subdomains resolve
- JSON export — structured output for integration
Tier Comparison
| Feature | Free | Pro ($19/mo) | Bundle ($39/mo) |
|---|---|---|---|
| CT log enumeration | ✅ (50 results) | ✅ (unlimited) | ✅ (unlimited) |
| Zone transfer check | ✅ | ✅ | ✅ |
| Takeover detection | — | ✅ | ✅ |
| Bruteforce wordlist | ✅ (2000 names) | ✅ (2000 names) | ✅ (2000 names) |
| JSON export | ✅ | ✅ | ✅ |
| Concurrent resolution | ✅ (50 threads) | ✅ (50 threads) | ✅ (50 threads) |
Installation
cp -r /home/guy/.openclaw/workspace/apps/subdomain-hunter ~/.openclaw/skills/subdomain-hunter
Usage
Basic scan (free tier — 50 results)
python3 subdomain_hunter.py --domain example.com
Pro scan (unlimited + takeover detection)
[email protected] python3 subdomain_hunter.py --domain example.com --pro
Full bundle scan (bruteforce + concurrent threads)
[email protected] python3 subdomain_hunter.py --domain example.com --bundle --bruteforce
Export to JSON
python3 subdomain_hunter.py --domain example.com --output results.json
Check for takeovers only
python3 subdomain_hunter.py --domain example.com --takeover-only
As OpenClaw Discord Command
In #edgeiq-support channel:
!subdomain example.com
!subdomain example.com --takeover
!subdomain example.com --bruteforce
Parameters
| Flag | Type | Default | Description |
|---|---|---|---|
--domain |
string | — | Target domain |
--pro |
flag | False | Enable Pro features |
--bundle |
flag | False | Enable Bundle features |
--bruteforce |
flag | False | Run common subdomain wordlist |
--takeover |
flag | False | Run takeover detection |
--takeover-only |
flag | False | Only run takeover detection |
--output |
string | — | Write JSON report to file |
--threads |
int | 20/50 | Concurrent threads (Pro/Bundle) |
Output Example
=== Subdomain Hunter ===
example.com
CT Entries: 47
Resolved: 31
Dead: 5
Takeovers: 2 🔴
Discovered subdomains:
api.example.com ✅ resolves → 1.2.3.4
staging.example.com ✅ resolves → 1.2.3.5
dev.example.com ❌ DEAD (CNAME to Heroku)
old.example.com 🔴 TAKEOVER (no CNAME, 404)
blog.example.com ✅ resolves → 1.2.3.6
Zone Transfer: BLOCKED
Threat Level: MEDIUM
Pricing
Lifetime License: $39 — your tool forever, all features included permanently.
Optional Monthly: $7/mo — for those who prefer recurring billing (cancel anytime). 👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo 👉 Subscribe Monthly — $7/mo
Pro Upgrade (deprecated)
All features now included in Lifetime purchase.
Support
Open a ticket in #edgeiq-support or email [email protected]
🔗 More from EdgeIQ Labs
edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.
- 🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
- 📸 Screenshot API — URL-to-screenshot API for developers
- 🔔 uptime.check — URL uptime monitoring with alerts
- 🛡️ headers.check — HTTP security headers analyzer
安全使用建议
This skill contains working code and will perform network activity when run. Before installing or running it:
- Don't trust the 'passive' label: the tool intentionally performs active DNS resolution, AXFR attempts (connecting to port 53), and optional bruteforce. Only run it against domains you own or have explicit written permission to audit.
- Metadata omission: the registry says no env vars are required, but the tool uses EDGEIQ_EMAIL, EDGEIQ_LICENSE_KEY and ~/.edgeiq/license.key for licensing—expect to provide these or to have the tool read your home directory.
- Licensing quirk: the licensing code contains a hardcoded allowance for a specific email address, and license logic reads files in your home directory. Review edgeiq_licensing.py to ensure it matches your expectations and doesn't unintentionally grant or leak access.
- Audit network behavior: the script queries crt.sh (https requests) and performs raw socket connections; if you are in a restrictive environment, run it in an isolated VM or container and inspect network traffic first.
- Verify provenance: source/homepage are missing and README points to an external GitHub user. If you need long-term trust, request a canonical source (repo, author identity) and validate the Stripe/payment links and contact email.
If you are uncertain, do not run this against real targets or production networks; review the code (subdomain_hunter.py and edgeiq_licensing.py) and run in an isolated environment. If the mismatches above worry you, treat this as potentially risky until provenance and env-var behavior are clarified.
能力标签
能力评估
Purpose & Capability
The name/description (passive subdomain enumeration) is broadly consistent with the included code (crt.sh queries, DNS checks, takeover detection, bruteforce). However SKILL.md repeatedly claims 'no active probing' while the code: performs DNS resolution, attempts TCP connections to port 53 (zone transfer checks), and can run bruteforce—these are active network actions and contradict the passive claim. Also the SKILL.md and README advise using EDGEIQ_EMAIL / license files for Pro/Bundle, but the registry metadata lists no required env vars—an inconsistency.
Instruction Scope
Runtime instructions (SKILL.md) instruct users to run the included Python script and to set EDGEIQ_EMAIL for premium features. The doc promises 'passive' recon but the instructions and code enable active checks (AXFR attempts, resolution of many candidate hosts, optional bruteforce). SKILL.md also suggests copying files from a workspace path and using Discord commands, which are operational details outside the skill's declared metadata. The instructions grant the skill discretion to perform network probing beyond purely passive CT scraping.
Install Mechanism
There is no install specification (instruction-only), so nothing will be automatically downloaded/executed during install. The package does include Python files shipped with the skill; that means code will run on invocation but there is no installer that fetches remote archives or binaries. This is lower risk from an install mechanism perspective.
Credentials
Registry metadata says no required env vars, but SKILL.md and the code expect/use EDGEIQ_EMAIL and EDGEIQ_LICENSE_KEY and a license file under ~/.edgeiq/license.key. The licensing module also implicitly grants bundle access for a specific email ([email protected]). Asking for an email/env var and reading a license file in the user's home is reasonable for licensing, but the mismatch with declared metadata and the hardcoded permissive check for a specific email are noteworthy and unexpected.
Persistence & Privilege
The skill does not request 'always' presence and does not include an install script that writes to system-wide locations. It reads/writes a per-user license file (~/.edgeiq/license.key) which is normal for license management. There is no evidence it modifies other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install edgeiq-subdomain-hunter - 安装完成后,直接呼叫该 Skill 的名称或使用
/edgeiq-subdomain-hunter触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.4.0
v1.4.0: URGENT FIX — corrected Stripe Payment Link URLs (no suffixes, correct live URLs)
v1.3.0
v1.3.0: CRITICAL FIX — replaced placeholder Stripe URLs with real working Payment Link checkout URLs
v1.2.0
v1.2.0: Dual pricing — Lifetime as primary purchase option with optional monthly. Updated Stripe checkout URLs.
v1.0.0
Initial release: CT enumeration, zone transfer check, takeover detection, bruteforce wordlist, JSON export.
元数据
常见问题
Subdomain Hunter 是什么?
Performs passive subdomain enumeration using CT logs, DNS zone transfer checks, takeover detection, and optional bruteforce without active probing. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 99 次。
如何安装 Subdomain Hunter?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install edgeiq-subdomain-hunter」即可一键安装,无需额外配置。
Subdomain Hunter 是免费的吗?
是的,Subdomain Hunter 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Subdomain Hunter 支持哪些平台?
Subdomain Hunter 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Subdomain Hunter?
由 snipercat69(@snipercat69)开发并维护,当前版本 v1.4.0。
推荐 Skills