← 返回 Skills 市场

GoDaddy API

Name: GoDaddy API
Author: solarx56

作者 Andrew · GitHub ↗ · v1.1.0

cross-platform ⚠ suspicious

769

总下载

当前安装

版本数

在 OpenClaw 中安装

/install godaddy-api

功能描述

Complete GoDaddy API skill with shell scripts + MCP server for domains, DNS, certificates, shoppers, subscriptions, agreements, countries, and aftermarket li...

使用说明 (SKILL.md)

GoDaddy API

Setup

export GODADDY_API_BASE_URL="https://api.godaddy.com"  # or https://api.ote-godaddy.com
export GODADDY_API_KEY="your-key"
export GODADDY_API_SECRET="your-secret"

Keys: \x3Chttps://developer.godaddy.com/keys>

Shell scripts

scripts/gd-domains.sh — list/get/availability, validate purchase, purchase, renew, transfer, update, update contacts, delete, privacy on/off, domain agreements get/accept
scripts/gd-dns.sh — get all/type/name, patch add, replace all/type/type+name, delete type+name
scripts/gd-certs.sh — create/validate/get/actions/download/renew/reissue/revoke/verify domain control
scripts/gd-shoppers.sh — get/update/delete shopper
scripts/gd-subscriptions.sh — list/get/cancel subscription
scripts/gd-agreements.sh — list legal agreements
scripts/gd-countries.sh — list countries
scripts/gd-aftermarket.sh — list/get aftermarket listings

Destructive/financial actions prompt for confirmation.

MCP server

Path: scripts/mcp-server/

cd scripts/mcp-server
npm install
npm run build
node dist/index.js

Exposes MCP tools for all skill operations (domains, DNS, certs, shoppers, subscriptions, agreements, countries, aftermarket).

Example MCP config:

{
  "mcpServers": {
    "godaddy": {
      "command": "node",
      "args": ["path/to/mcp-server/dist/index.js"],
      "env": {
        "GODADDY_API_BASE_URL": "https://api.godaddy.com",
        "GODADDY_API_KEY": "",
        "GODADDY_API_SECRET": ""
      }
    }
  }
}

References

references/endpoints.md — complete endpoint map
references/auth-and-env.md — auth/env setup
references/request-bodies.md — payload examples
references/error-handling.md — troubleshooting
references/safety-playbook.md — safe operation patterns

安全使用建议

This skill appears to be a functional GoDaddy client, but the registry metadata does not declare the API credentials the code needs — treat that as a red flag. Before installing or running: (1) do not paste production API_KEY/SECRET into random shells; prefer testing in the OTE URL; (2) avoid blindly appending exports to ~/.zshrc/ ~/.bashrc — instead use a secure secrets store, an env file with restricted permissions, or temporarily export in a session; (3) review package.json/package-lock and run npm install in an isolated environment (or scan dependencies) before starting the MCP server; (4) ensure the local MCP server is not exposed to untrusted networks; (5) if you need to proceed, confirm the skill author/source and update registry metadata to list the required env vars/primary credential so the permissions are transparent.

功能分析

Type: OpenClaw Skill Name: godaddy-api Version: 1.1.0 The skill bundle is classified as suspicious due to critical shell injection vulnerabilities present in the `scripts/*.sh` files. User-provided arguments and the content of user-specified JSON payload files are directly interpolated into `curl` commands and URL query strings without proper sanitization (e.g., in `scripts/gd-api.sh`, `scripts/gd-aftermarket.sh`, `scripts/gd-certs.sh`). This allows for arbitrary command execution if an attacker can control the input to these shell scripts. While the `scripts/mcp-server/` (Node.js) component is well-secured with input validation and safe API call mechanisms, the presence of these severe vulnerabilities in the shell scripts, which are a primary interface described in `SKILL.md`, poses a significant risk of remote code execution.

能力评估

ℹ Purpose & Capability

The name/description match the included scripts and MCP server: everything is focused on GoDaddy domains, DNS, certs, shoppers, subscriptions, agreements and aftermarket. Required binaries (bash, curl, jq, node, npm) are appropriate for the provided shell scripts and Node MCP server. However the skill registry metadata declares no required environment variables or primary credential while the SKILL.md and all scripts require GODADDY_API_BASE_URL, GODADDY_API_KEY, and GODADDY_API_SECRET — a clear mismatch between claimed metadata and actual runtime needs.

✓ Instruction Scope

SKILL.md and the shell scripts limit actions to GoDaddy API calls and include confirmation prompts for destructive/financial actions. Instructions recommend testing in OTE and not logging secrets. The only out-of-band operation is recommending appending export lines to ~/.bashrc or ~/.zshrc to persist credentials (documented), which writes to a user config file but is within the expected scope for CLI tools.

ℹ Install Mechanism

There is no platform install spec — the skill is instruction- and code-file-based. The MCP server requires running npm install/build (package.json and package-lock.json included), which will pull dependencies from the public npm registry. There are no downloads from arbitrary URLs or extract-from-URL steps, but running npm install will fetch third-party packages (normal but moderate risk if you don't review dependencies).

⚠ Credentials

The runtime requires three sensitive environment variables (GODADDY_API_BASE_URL, GODADDY_API_KEY, GODADDY_API_SECRET) that are used everywhere (shell scripts and MCP server). The registry entry incorrectly lists no required env vars or primary credential — this is a material metadata inconsistency. The SKILL.md also suggests echoing secrets into ~/.zshrc/ ~/.bashrc for persistence, which increases the risk of long-lived secret exposure if users follow it blindly.

ℹ Persistence & Privilege

The skill does not request always:true and does not attempt to change other skills or system-wide agent settings. It does, however, instruct the user how to persist credentials into shell startup files and runs a local MCP server (node dist/index.js) which, if started, will hold credentials in its environment. These behaviors are expected for a local API client but mean you should avoid running the MCP server on an exposed machine or persisting secrets insecurely.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install godaddy-api
安装完成后，直接呼叫该 Skill 的名称或使用 /godaddy-api 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.0

Remove bundled node_modules — install via npm install in scripts/mcp-server/ instead

v1.0.0

- Initial release of the GoDaddy API skill. - Provides shell scripts for managing domains, DNS, certificates, shoppers, subscriptions, agreements, countries, and aftermarket listings. - Includes an MCP server to expose all operations programmatically. - Destructive and financial actions require confirmation for safety. - Detailed documentation and references included for endpoints, authentication, payloads, error handling, and safe operation guidelines.

元数据

Slug godaddy-api

版本 1.1.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 2

常见问题

GoDaddy API 是什么？

Complete GoDaddy API skill with shell scripts + MCP server for domains, DNS, certificates, shoppers, subscriptions, agreements, countries, and aftermarket li... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 769 次。

如何安装 GoDaddy API？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install godaddy-api」即可一键安装，无需额外配置。

GoDaddy API 是免费的吗？

是的，GoDaddy API 完全免费（开源免费），可自由下载、安装和使用。

GoDaddy API 支持哪些平台？

GoDaddy API 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 GoDaddy API？

由 Andrew（@solarx56）开发并维护，当前版本 v1.1.0。

GoDaddy API

GoDaddy API

Setup

Shell scripts

MCP server

References

GoDaddy API 是什么？

如何安装 GoDaddy API？

GoDaddy API 是免费的吗？

GoDaddy API 支持哪些平台？

谁开发了 GoDaddy API？

💬 留言讨论