domain-puppy

This skill is functionally coherent and aligned with its stated purpose: domain availability checks and brainstorming. It does not request credentials, execute code, or include download-execute patterns. The primary security/privacy consideration is that all availability and premium checks are proxied through a local MCP server and a Cloudflare Worker (disclosed in the documentation). That proxy operator will observe queried domain names and premium-check activity, so users who need secrecy should be cautious. Reading local project files is optional and limited to a few fields if the user consents — a reasonable design choice but still a potential source of metadata leakage. No malware or backdoor indicators were found.