安全的 Namecheap DNS 管理包装器,通过 Namecheap API 进行 DNS 操作。防止意外记录清除,始终先获取现有记录,然后合并更改。## ⚠️ 为什么需要此技能
Namecheap API 的 setHosts 方法替换所有 DNS 记录。一个错误的 API 调用可能会清除整个 DNS 配置。此技能:
- ✅ 始终先获取现有记录
- ✅ 合并新记录与现有记录(除非明确替换)
- ✅ 显示差异预览 قبل应用更改
- ✅ 自动备份更改前
- ✅ 支持模拟运行模式用于安全测试
- ✅ 一键回滚从备份
安装
1. 安装依赖
cd ~/.openclaw/workspace/skills/namecheap-dns
npm install
2. 启用 Namecheap API 访问
- 访问 https://ap.www.namecheap.com/settings/tools/apiaccess/
- 打开 API 访问
- 白名单您的 IP 地址
- 复制 API 密钥
3. 设置环境变量
添加到
~/.zshrc 或
~/.bashrc:
export NAMECHEAP_API_KEY="您的 API 密钥"
export NAMECHEAP_USERNAME="您的用户名"
export NAMECHEAP_API_USER="您的 API 用户名" # 通常与用户名相同
使用
验证 DNS 并检测幽灵记录 ⚠️ 重要:首先运行此命令!
./namecheap-dns.js verify example.com
此命令比较 Namecheap API 可见的 DNS 记录与实际活跃 DNS 记录(通过
dig),并警告关于“幽灵记录”的问题(电子邮件转发、URL 重定向等)。
Safe wrapper around the Namecheap API for DNS operations. Prevents accidental record wipeout by always fetching existing records first and merging changes.
⚠️ Why This Skill Exists
The Namecheap API's setHosts method replaces ALL DNS records for a domain. One wrong API call = your entire DNS config is gone. This skill:
- ✅ Always fetches existing records first
- ✅ Merges new records with existing ones (unless explicitly replacing)
- ✅ Shows a diff preview before applying changes
- ✅ Auto-backups before every change
- ✅ Supports dry-run mode for safe testing
- ✅ One-command rollback from backups
Setup
1. Install dependencies
cd ~/.openclaw/workspace/skills/namecheap-dns
npm install
2. Enable Namecheap API access
- Go to https://ap.www.namecheap.com/settings/tools/apiaccess/
- Toggle "API Access" ON
- Whitelist your IP address
- Copy your API key
3. Set environment variables
Add to ~/.zshrc or ~/.bashrc:
export NAMECHEAP_API_KEY="your-api-key-here"
export NAMECHEAP_USERNAME="your-username"
export NAMECHEAP_API_USER="your-username" # Usually same as username
Usage
Verify DNS and detect ghost records
⚠️ IMPORTANT: Run this first!
./namecheap-dns.js verify example.com
This command compares DNS records visible to the Namecheap API with actual live DNS records (via dig). It will warn you about "ghost records" that exist in DNS but are invisible to the API (email forwarding, URL redirects, etc.).
List current DNS records
./namecheap-dns.js list example.com
Note: This only shows records visible to the API. Use verify to see ALL records including those managed by Namecheap subsystems.
Add records (safe merge)
# Add a single TXT record
./namecheap-dns.js add example.com \
--txt "mail.example.com=v=spf1 include:mailgun.org ~all"# Add multiple records at once
./namecheap-dns.js add example.com \
--txt "mail=v=spf1 include:mailgun.org ~all" \
--cname "email.mail=mailgun.org" \
--mx "mail=10 mxa.mailgun.org"
# Dry-run (preview changes without applying)
./namecheap-dns.js add example.com \
--txt "test=hello" \
--dry-run
# Force override safety check (if you know ghost records can be deleted)
./namecheap-dns.js add example.com \
--txt "test=hello" \
--force
Safety: The skill automatically checks for "ghost records" before making changes. If detected, it will refuse to proceed unless you use --force.
Remove records
# Remove by host + type
./namecheap-dns.js remove example.com \
--host "old-record" \
--type "TXT"# Dry-run first
./namecheap-dns.js remove example.com \
--host "old-record" \
--type "TXT" \
--dry-run
Backup & Restore
# Create manual backup
./namecheap-dns.js backup example.com# List available backups
./namecheap-dns.js backups example.com
# Restore from latest backup
./namecheap-dns.js restore example.com
# Restore from specific backup
./namecheap-dns.js restore example.com \
--backup "example.com-20260213-114500.json"
Record Format
TXT Records
--txt "subdomain=value"
--txt "@=value" # Root domain
CNAME Records
--cname "subdomain=target.com"
MX Records
--mx "subdomain=10 mx.target.com"
--mx "@=10 mx.target.com" # Root domain
A Records
--a "subdomain=192.168.1.1"
--a "@=192.168.1.1" # Root domain
Backup Location
Default: ./backups/ (relative to skill directory)
Configurable via environment variable:
export NAMECHEAP_BACKUP_DIR="/custom/path/to/backups"
Format: {domain}-{timestamp}.json
Each backup includes:
apiHosts: Records visible to Namecheap APIliveDNS: Actual DNS records captured via dig- Timestamp and domain metadata
This allows you to see what was ACTUALLY live in DNS, not just what the API knew about.
Safety Features
- Ghost record detection — automatic check for records invisible to API
- Auto-backup before changes — every
add or remove creates a timestamped backup (includes DNS snapshot)
- Dry-run mode —
--dry-run shows what will change without applying
- Diff preview — see exactly what records will be added/removed
- Fetch-first — always gets current DNS state before changes
- Merge logic — adds to existing records instead of replacing
- Rollback — one command to restore from backup
- Safety override —
--force flag for when you need to bypass ghost record warnings
Examples
Mailgun Setup
./namecheap-dns.js add menuhq.ai \
--txt "mail.menuhq.ai=v=spf1 include:mailgun.org ~all" \
--txt "smtp._domainkey.mail.menuhq.ai=k=rsa; p=MIGfMA0..." \
--txt "_dmarc.mail.menuhq.ai=v=DMARC1; p=quarantine;" \
--cname "email.mail.menuhq.ai=mailgun.org" \
--mx "mail.menuhq.ai=10 mxa.mailgun.org" \
--mx "mail.menuhq.ai=20 mxb.mailgun.org" \
--dry-run
Review the diff, then run without --dry-run to apply.
Known Limitations
⚠️ The Namecheap API is Destructive
The Namecheap domains.dns.setHosts API method replaces ALL DNS records for a domain. There is no "add one record" or "update one record" endpoint. Every change requires:
- Fetch all existing records (
getHosts)
- Modify the list
- Upload the entire list (
setHosts)
This skill handles this for you by always fetching first and merging changes.
🔍 Ghost Records: The Hidden Danger
Problem: domains.dns.getHosts does NOT return all DNS records. Records managed by Namecheap subsystems are invisible to the API:
- Email Forwarding — MX, SPF, and DKIM records
- URL Redirect — A/CNAME records for domain parking/redirects
- Third-party integrations — Records added through Namecheap's dashboard for services
Since setHosts replaces all records, using the API can silently delete these hidden records.
🛡️ How This Skill Protects You
verify command — Compares API records with actual live DNS (via dig) and warns about ghost records- Automatic safety check — Before any
add, remove, or restore, the skill checks for ghost records
- Refuses to proceed — If ghost records are detected, the operation is blocked (unless
--force is used)
- Clear warnings — Shows exactly which records will be lost if you proceed
- DNS snapshots in backups — Captures actual DNS state via
dig, not just API state
When to Use --force
Only use the --force flag when:
- You've manually verified the ghost records are no longer needed
- You're intentionally removing email forwarding or URL redirects
- You understand and accept that those records will be deleted
Never use --force blindly. Always run verify first to see what will be lost.
Example: The Production Incident
This skill was created after adding Mailgun DNS records via the API wiped out Namecheap's email forwarding records. The email forwarding MX/SPF/TXT records were invisible to getHosts, so the fetch-merge-write pattern deleted them.
Now, the skill would have:
- Detected the ghost records during
verify
- Refused to proceed without
--force
- Shown exactly which email forwarding records would be deleted
- Created a backup including the DNS snapshot
Troubleshooting
"API request failed: IP not whitelisted"
- Add your current IP to https://ap.www.namecheap.com/settings/tools/apiaccess/
- Check with:
curl ifconfig.me
"Invalid API key"
- Verify
NAMECHEAP_API_KEY is set correctly
- Re-enable API access if needed
"Domain not found"
- Ensure domain is in your Namecheap account
- Check spelling (case-sensitive)
API Reference
Namecheap API docs: https://www.namecheap.com/support/api/methods/domains-dns/
by