ClawHub

Controld

Manage Control D DNS filtering service via API. Use for DNS profile management, device configuration, custom blocking rules, service filtering, analytics settings, and network diagnostics. Triggers when user mentions Control D, DNS filtering, DNS blocking, device DNS setup, or managing DNS profiles.

Audits

Pending
ClawScanReview

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPending

Multi-engine malware detections and file reputation.

Install

openclaw skills install controld

Control D DNS Management

Control D is a DNS filtering and privacy service. This skill enables full API access.

Authentication

Store API token in environment variable or pass directly:

export CONTROLD_API_TOKEN="your-api-token"

Get your API token from: https://controld.com/dashboard (Account Settings > API)

Token Types:

  • Read - View-only access to Profiles, Devices, and Analytics
  • Write - View and modify data (create/modify/delete)

Security Tip: Restrict tokens by allowed IP addresses for automation hosts.

API Reference

Base URL: https://api.controld.com Auth: Authorization: Bearer $CONTROLD_API_TOKEN

Profiles

DNS filtering profiles define blocking rules, filters, and service controls.

# List all profiles
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/profiles" | jq '.body.profiles'

# Create profile
curl -s -X POST -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"My Profile"}' \
  "https://api.controld.com/profiles"

# Clone existing profile
curl -s -X POST -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"Cloned Profile","clone_profile_id":"PROFILE_ID"}' \
  "https://api.controld.com/profiles"

# Update profile
curl -s -X PUT -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"New Name"}' \
  "https://api.controld.com/profiles/PROFILE_ID"

# Delete profile
curl -s -X DELETE -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/profiles/PROFILE_ID"

Profile Options

# List available profile options
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/profiles/options" | jq '.body.options'

# Update profile option (status: 1=enabled, 0=disabled)
curl -s -X PUT -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"status":1,"value":"some_value"}' \
  "https://api.controld.com/profiles/PROFILE_ID/options/OPTION_NAME"

Devices

Devices are DNS endpoints that use profiles for filtering.

# List all devices
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/devices" | jq '.body.devices'

# List device types (icons)
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/devices/types" | jq '.body.types'

# Create device
curl -s -X POST -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"Home Router","profile_id":"PROFILE_ID","icon":"router"}' \
  "https://api.controld.com/devices"

# Update device
curl -s -X PUT -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"New Name","status":1}' \
  "https://api.controld.com/devices/DEVICE_ID"

# Delete device
curl -s -X DELETE -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/devices/DEVICE_ID"

Device Icons: desktop-windows, desktop-mac, desktop-linux, mobile-ios, mobile-android, browser-chrome, browser-firefox, browser-edge, browser-brave, browser-other, tv-apple, tv-android, tv-firetv, tv-samsung, tv, router-asus, router-ddwrt, router-firewalla, router-freshtomato, router-glinet, router-openwrt, router-opnsense, router-pfsense, router-synology, router-ubiquiti, router-windows, router-linux, router

Device Status: 0=pending, 1=active, 2=soft-disabled, 3=hard-disabled

Filters

Native and external blocking filters for profiles.

# List native filters for profile
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/profiles/PROFILE_ID/filters" | jq '.body.filters'

# List external filters
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/profiles/PROFILE_ID/filters/external" | jq '.body.filters'

# Enable/disable filter (status: 1=enabled, 0=disabled)
curl -s -X PUT -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"status":1}' \
  "https://api.controld.com/profiles/PROFILE_ID/filters/filter/FILTER_ID"

Services

Block, bypass, or redirect specific services (apps/websites).

# List service categories
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/services/categories" | jq '.body.categories'

# List services in category
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/services/categories/CATEGORY" | jq '.body.services'

# List profile services with their actions
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/profiles/PROFILE_ID/services" | jq '.body.services'

# Set service action (do: 0=block, 1=bypass, 2=spoof)
curl -s -X PUT -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"do":0,"status":1}' \
  "https://api.controld.com/profiles/PROFILE_ID/services/SERVICE_ID"

Custom Rules

Create custom blocking/bypass rules for specific domains.

# List rule folders
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/profiles/PROFILE_ID/groups" | jq '.body.groups'

# Create rule folder
curl -s -X POST -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"My Rules","do":0}' \
  "https://api.controld.com/profiles/PROFILE_ID/groups"

# Update rule folder
curl -s -X PUT -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"do":0,"status":1}' \
  "https://api.controld.com/profiles/PROFILE_ID/groups/FOLDER_ID"

# Delete rule folder
curl -s -X DELETE -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/profiles/PROFILE_ID/groups/FOLDER_ID"

# List rules in folder
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/profiles/PROFILE_ID/rules/FOLDER_ID" | jq '.body.rules'

# Create custom rule (do: 0=block, 1=bypass, 2=spoof, 3=redirect)
curl -s -X POST -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"hostnames":["ads.example.com","tracking.example.com"],"do":0,"status":1}' \
  "https://api.controld.com/profiles/PROFILE_ID/rules"

# Delete custom rule
curl -s -X DELETE -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/profiles/PROFILE_ID/rules/HOSTNAME"

Rule Actions (do): 0=block, 1=bypass, 2=spoof (resolve via proxy), 3=redirect

Default Rule

Set default action for unmatched domains.

# Get default rule
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/profiles/PROFILE_ID/default" | jq '.body.default'

# Set default rule
curl -s -X PUT -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"do":1,"status":1}' \
  "https://api.controld.com/profiles/PROFILE_ID/default"

Proxies

List available proxy locations for traffic redirection (spoofing).

# List all proxy locations
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/proxies" | jq '.body.proxies'

Use proxy PK values with the via parameter when setting service/rule actions to do:2 (spoof).

IP Access Control

Manage known/allowed IPs for devices.

# List known IPs for device
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"device_id":"DEVICE_ID"}' \
  "https://api.controld.com/access" | jq '.body.ips'

# Learn new IPs
curl -s -X POST -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"device_id":"DEVICE_ID","ips":["1.2.3.4","5.6.7.8"]}' \
  "https://api.controld.com/access"

# Delete learned IPs
curl -s -X DELETE -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"device_id":"DEVICE_ID","ips":["1.2.3.4"]}' \
  "https://api.controld.com/access"

Analytics

Configure logging and storage settings.

# List available log levels (0=off, 1=basic, 2=full)
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/analytics/levels" | jq '.body.levels'

# List storage regions
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/analytics/endpoints" | jq '.body.endpoints'

# Get statistics for a device (requires Full analytics level)
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/stats?device_id=DEVICE_ID&start=2024-01-01&end=2024-01-31" | jq '.body'

# Get activity log (requires Full analytics level)
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/queries?device_id=DEVICE_ID&limit=100" | jq '.body.queries'

Account & Network

# Get account info
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/users" | jq '.body'

# Get current IP info
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/ip" | jq '.body'

# List network/resolver status
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/network" | jq '.body'

Organization Management (Business Accounts)

Organization features require a business account. These endpoints manage multi-user access, sub-organizations, and team deployments.

Note: Contact [[email protected]](mailto:[email protected]) from a work email to request business account access.

Organization capabilities include:

  • Manage large amounts of end user devices or networks
  • Quickly onboard hundreds/thousands of devices using RMM
  • Grant access to team members with permission levels
  • Group Profiles and Endpoints into Sub-Organizations
  • Share Profiles between organizations
  • Lock resolvers to specific IP addresses

Organizations

The organization endpoints operate on the organization associated with your API token (no org_id in path).

# View organization info (your organization context)
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/organizations/organization" | jq '.body'

# Modify organization settings
curl -s -X PUT -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "name=Updated Org Name&twofa_req=1" \
  "https://api.controld.com/organizations"

Modify Organization Parameters (all optional):

  • name (string) — Organization name
  • contact_email (string) — Primary contact email
  • twofa_req (integer) — Require 2FA/MFA for members (0=no, 1=yes)
  • stats_endpoint (string) — Storage region PK from /analytics/endpoints
  • max_users (integer) — Max number of User Devices
  • max_routers (integer) — Max number of Router Devices
  • address (string) — Physical address
  • website (string) — Website URL
  • contact_name (string) — Contact person name
  • contact_phone (string) — Phone number
  • parent_profile (string) — Global Profile ID to enforce on all devices

Note: Modifying max_users and max_routers is a billable event.

Members

View organization membership.

# List organization members
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/organizations/members" | jq '.body.members'

Sub-Organizations

Sub-organizations compartmentalize profiles and endpoints into logical groups:

  • Departments - Internal organizational units
  • Physical sites - Office locations, branches
  • Customer companies - For MSPs managing multiple clients
  • Any logical grouping - Based on your needs

Each sub-org has its own Profiles, Endpoints, and optionally a Global Profile that applies to all its Endpoints.

# List sub-organizations
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/organizations/sub_organizations" | jq '.body.sub_organizations'

# Create sub-organization
curl -s -X POST -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "name=Customer ABC&contact_email=john@example.com&twofa_req=0&stats_endpoint=ENDPOINT_PK&max_users=50&max_routers=10" \
  "https://api.controld.com/organizations/suborg"

Create Sub-Organization Parameters:

Required:

  • name (string) — Organization name
  • contact_email (string) — Primary contact email
  • twofa_req (integer) — Require 2FA/MFA (0=no, 1=yes)
  • stats_endpoint (string) — Storage region PK from /analytics/endpoints
  • max_users (integer) — Max number of User Devices
  • max_routers (integer) — Max number of Router Devices

Optional:

  • address (string) — Physical address
  • website (string) — Website URL
  • contact_name (string) — Contact person name
  • contact_phone (string) — Phone number
  • parent_profile (string) — Global Profile ID to enforce on all devices

Provisioning Codes

Mass deploy ctrld daemon to endpoints using RMM tools.

# List provisioning codes
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/provision" | jq '.body.codes'

# Create provisioning code
curl -s -X POST -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "profile_id":"PROFILE_ID",
    "device_type":"windows",
    "expires_after":"7d",
    "limit":100,
    "prefix":"office-"
  }' \
  "https://api.controld.com/provision"

# Invalidate provisioning code
curl -s -X PUT -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"status":"invalid"}' \
  "https://api.controld.com/provision/CODE_ID"

# Delete provisioning code
curl -s -X DELETE -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/provision/CODE_ID"

Device Types: windows, mac, linux

Deployment Commands:

# Windows (PowerShell as Admin)
(Invoke-WebRequest -Uri 'https://api.controld.com/dl/rmm' -UseBasicParsing).Content | Set-Content "$env:TEMP\ctrld_install.ps1"; Invoke-Expression "& '$env:TEMP\ctrld_install.ps1' 'CODE'"

# macOS/Linux
sh -c 'sh -c "$(curl -sSL https://api.controld.com/dl/rmm)" -s CODE'

Billing

View billing history, subscriptions, and active products.

# Get payment history
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/billing/payments" | jq '.body'

# Get active and canceled subscriptions
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/billing/subscriptions" | jq '.body'

# Get currently activated products
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/billing/products" | jq '.body'

Mobile Config (Apple Devices)

Generate signed Apple DNS profiles (.mobileconfig) for iOS/macOS devices.

# Generate mobile config profile for a device
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/mobileconfig/DEVICE_ID" -o config.mobileconfig

# With optional parameters
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/mobileconfig/DEVICE_ID?client_id=my-iphone&dont_sign=0" -o config.mobileconfig

# Exclude specific WiFi networks
curl -s -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  "https://api.controld.com/mobileconfig/DEVICE_ID?exclude_wifi[]=HomeNetwork&exclude_wifi[]=OfficeWiFi" -o config.mobileconfig

Path Parameter:

  • device_id (required) — Device/Resolver ID

Query Parameters (all optional):

  • exclude_wifi[] (array) — WiFi SSIDs to exclude from using Control D
  • exclude_domain[] (array) — Domain names to exclude from using Control D
  • dont_sign (string) — Set to 1 to return unsigned profile
  • exclude_common (string) — Set to 1 to exclude common captive portal hostnames from WiFi exclusions
  • client_id (string) — Optional client name

Note: This endpoint returns binary data (not JSON) on success. Errors still return JSON.

Helper Script

Use scripts/controld.sh for common operations:

# List profiles
./scripts/controld.sh profiles list

# Create profile
./scripts/controld.sh profiles create "My Profile"

# List devices
./scripts/controld.sh devices list

# Create device
./scripts/controld.sh devices create "Router" PROFILE_ID router

# Block domain
./scripts/controld.sh rules block PROFILE_ID "ads.example.com"

# Bypass domain
./scripts/controld.sh rules bypass PROFILE_ID "trusted.com"

# Enable filter
./scripts/controld.sh filters enable PROFILE_ID FILTER_ID

# Block service (e.g., facebook, tiktok)
./scripts/controld.sh services block PROFILE_ID SERVICE_ID

# List proxies
./scripts/controld.sh proxies list

# Organization management (business accounts)
./scripts/controld.sh orgs info               # View organization info
./scripts/controld.sh orgs members            # List members
./scripts/controld.sh orgs suborgs            # List sub-organizations
./scripts/controld.sh provision list

# Billing
./scripts/controld.sh billing payments        # Payment history
./scripts/controld.sh billing subscriptions   # Subscriptions
./scripts/controld.sh billing products        # Active products

# Mobile Config (Apple devices)
./scripts/controld.sh mobileconfig DEVICE_ID config.mobileconfig

Common Workflows

Set Up New Device

  1. List profiles: profiles list
  2. Create or select profile
  3. Create device with profile: devices create NAME PROFILE_ID ICON
  4. Note the resolver addresses (DoH/DoT/IPv4) from response
  5. Configure device DNS to use resolvers

Block Social Media

  1. List social media services: curl ... /services/categories/social
  2. Block each service: services block PROFILE_ID facebook
  3. Or create custom rules for specific domains

Enable Ad Blocking

  1. List filters: filters list PROFILE_ID
  2. Enable ad-related filters: filters enable PROFILE_ID ads
  3. Enable malware filters: filters enable PROFILE_ID malware

Redirect Traffic Through Proxy (Geo-Spoofing)

  1. List proxies: ./scripts/controld.sh proxies list
  2. Set service to spoof via proxy: 
    curl -s -X PUT -H "Authorization: Bearer $CONTROLD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"do":2,"status":1,"via":"PROXY_PK"}' \
  "https://api.controld.com/profiles/PROFILE_ID/services/SERVICE_ID"

Mass Deploy to Enterprise Endpoints

  1. Create provisioning code: provision create
  2. Deploy via RMM using the provided command
  3. Monitor endpoint registrations in dashboard

Rate Limiting

API rate limit: ~1200 requests per 5 minutes (4 req/sec average). Exponential backoff on 429 responses.

Notes

  • Organization endpoints require a business account
  • Sub-organization members inherit parent org member permissions unless explicitly added
  • Global Profile on a sub-org applies to ALL devices in that sub-org
  • Analytics data is stored for 1 month (raw logs) or 1 year (stats)
  • SSO supported: Okta OIDC and Microsoft EntraID OIDC

API Documentation Sources

Verified endpoints (from API reference, March 2026):

  • Core: /profiles, /devices, /access, /proxies, /services, /filters
  • Organization: /organizations/organization, /organizations/members, /organizations/sub_organizations, /organizations/suborg, /organizations (PUT)
  • Billing: /billing/payments, /billing/subscriptions, /billing/products
  • Mobile Config: /mobileconfig/{device_id}
  • Provisioning: /provision

Organization and billing endpoints require a business account.