← 返回 Skills 市场
Subdomain Takeover Checker
作者
HostileSpider
· GitHub ↗
· v1.0.0
· MIT-0
325
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install subdomain-takeover
功能描述
Check subdomains for potential takeover vulnerabilities. Detects dangling DNS records pointing to unclaimed services (GitHub Pages, Heroku, AWS, etc.)
安全使用建议
This skill is coherent with its stated purpose, but check these before installing: (1) The script uses curl for HTTP verification but curl is not declared in the metadata—ensure curl is available on the host. (2) The tool performs network scans of domains you supply; avoid scanning domains you don't have permission to test (legal/ethical risk). (3) Expect false positives because the script uses simple substring matching of CNAMEs and treats HTTP timeouts/404s as potentially claimable. (4) If you will run this in an automated agent, run it in an environment with controlled network access and review output files before sharing. If you need stronger verification, consider enhancing the script to use provider-specific claim checks or safer heuristics.
功能分析
Type: OpenClaw Skill
Name: subdomain-takeover
Version: 1.0.0
The skill is a legitimate security utility designed to identify dangling DNS records (subdomain takeover vulnerabilities). The core logic in `scripts/check-takeover.sh` uses standard tools like `dig` and `curl` to verify CNAME records against a list of known vulnerable services (e.g., GitHub Pages, Heroku, AWS). There is no evidence of data exfiltration, malicious execution, or prompt injection intended to subvert the agent's behavior.
能力评估
Purpose & Capability
Name/description (subdomain takeover checking) align with the provided script: it uses dig to resolve records and (optionally) curl to verify HTTP responses. The tool requires only standard CLI utilities to perform DNS and HTTP checks, which is proportional to the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run the included bash script against a list or single subdomain and documents options (passive, json, timeout, output). The script performs DNS resolution and optional HTTP requests only against the user-supplied domains. It does not read unrelated files, environment variables, or exfiltrate results to external endpoints. Note: the script uses curl for HTTP checks but curl is not declared in the skill metadata as a required binary.
Install Mechanism
There is no install spec and the skill ships as a small local bash script plus SKILL.md. No network downloads or archive extraction are performed during installation, which is low risk.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The script does not read secrets or external configs. This is proportionate to the tool's purpose.
Persistence & Privilege
The skill is not set to always:true and does not attempt to modify other skills or system-wide settings. It runs on-demand and exits with an appropriate code indicating findings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install subdomain-takeover - 安装完成后,直接呼叫该 Skill 的名称或使用
/subdomain-takeover触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — Detect dangling DNS records
元数据
常见问题
Subdomain Takeover Checker 是什么?
Check subdomains for potential takeover vulnerabilities. Detects dangling DNS records pointing to unclaimed services (GitHub Pages, Heroku, AWS, etc.). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 325 次。
如何安装 Subdomain Takeover Checker?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install subdomain-takeover」即可一键安装,无需额外配置。
Subdomain Takeover Checker 是免费的吗?
是的,Subdomain Takeover Checker 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Subdomain Takeover Checker 支持哪些平台?
Subdomain Takeover Checker 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Subdomain Takeover Checker?
由 HostileSpider(@hostilespider)开发并维护,当前版本 v1.0.0。
推荐 Skills