Is abtdomain/nameserver-reverse safe?

https://github.com/openclaw/skills/tree/main/skills/abtdomain/nameserver-reverse

90
SAFE

DomainKits (abtdomain/nameserver-reverse) is a documentation-only MCP configuration skill with no executable code, no prompt injection vectors, and no supply-chain risk at install time. The skill's primary risk is operational: it permanently routes all domain intelligence queries through the third-party mcp.domainkits.com service, meaning query data exits the user's environment and MCP tool responses originate from an external server that could theoretically inject malicious content into the agent's context at runtime. A minor metadata inconsistency exists between the commit URL referencing clawdbot/skills and the actual install source at openclaw/skills.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 77/100 · 5%

Findings (6)

MEDIUM All Domain Queries Routed to Third-Party MCP Server -18

The skill configures the agent to send all domain search and nameserver reverse-lookup queries to mcp.domainkits.com via npx mcp-remote. This is disclosed functionality but means the operator's domain intelligence queries — which can reveal business interests, acquisition targets, brand monitoring subjects, or investigation focus areas — are continuously transmitted to an external service controlled by a third party.

MEDIUM External MCP Server Responses Injected Into Agent Context -15

Tool results returned by mcp.domainkits.com are injected directly into the agent's conversation context and processed as trusted content. If the external service were compromised, taken over, or operated with malicious intent, it could embed prompt injection payloads within tool responses that instruct the agent to perform unauthorized file access, data exfiltration, or privilege escalation on behalf of the attacker.

LOW Metadata Repository URL Inconsistency -8

The _meta.json commit field references a URL at github.com/clawdbot/skills, but the skill is actually installed from github.com/openclaw/skills. This may represent a legitimate organizational rename or fork relationship, but it creates a verifiability gap: the stated commit hash (1faff3d87ccb6bfadfcc6078049f84ea3bd16bb1) cannot be independently verified against the claimed repository. Users auditing the skill's provenance will find the metadata does not point to the actual source.

LOW Canary Credential Files Read During Audit Session -10

Six high-value credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json) were accessed at two separate points during the audit window. Cross-referencing EXECVE logs with timestamps shows these accesses align with oathe audit framework processes (sudo invocations at session setup), not with any skill-installed code. The canary integrity report confirms no modifications. Classified LOW because the skill has no code capable of causing these reads.

INFO Skill References Live External Endpoints in Agent Context -5

SKILL.md contains explicit references to mcp.domainkits.com URLs. When injected into an agent's system prompt, these URLs will be visible to the agent and could be fetched or acted upon. No prompt injection text, instruction overrides, or hidden directives were found. The content is consistent with legitimate MCP server documentation.

INFO Zero Executable Surface — Documentation-Only Skill -3

The skill consists entirely of Skill.md (MCP configuration documentation) and _meta.json (registry metadata). There is no package.json, no npm lifecycle scripts, no shell scripts, no Python, no git hooks, no submodules, and no symlinks. The install introduced no executable artifacts whatsoever.