ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Controld

v1.0.3

Manage Control D DNS filtering service via API. Use for DNS profile management, device configuration, custom blocking rules, service filtering, analytics set...

1· 274·0 current·0 all-time
by@austingarrod·duplicate of @austingarrod/controld-d
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included SKILL.md and the bundled shell helper. Required binaries (curl, jq) and the single primary env var (CONTROLD_API_TOKEN) are exactly what an API-managing CLI would need.
Instruction Scope
SKILL.md and the script contain explicit curl commands to api.controld.com and describe profile/device/filter/service management. Instructions do not ask the agent to read unrelated system files, other credentials, or send data to unexpected external endpoints.
Install Mechanism
This is instruction-only with an included shell script; there is no automated install that downloads arbitrary code. The README suggests cloning from a GitHub repo, which is a standard, low-risk distribution method.
Credentials
The only declared secret is CONTROLD_API_TOKEN, which is necessary and proportional for Control D API access. No other unrelated credentials or config paths are requested.
Persistence & Privilege
Skill is not forced-always or otherwise privileged; it does not request persistent system-wide changes or access to other skills' configs.
Assessment
This skill appears to do what it claims: control a Control D account via the official API. Before installing: 1) Only provide a token with the minimum privileges needed (use a read-only token for auditing / viewing). 2) Prefer tokens restricted by IP where possible and rotate tokens regularly. 3) Audit the included scripts (scripts/controld.sh) before running them in your environment — they perform live API operations (create/update/delete) and a write-capable token could make destructive changes. 4) If you will store CONTROLD_API_TOKEN in environment variables, ensure it is not logged or checked into source control. 5) If you need higher assurance, verify the API base (https://api.controld.com) and the publisher/source (the README references a GitHub repo) match the vendor you trust.

Like a lobster shell, security has layers — review code before you run it.

latestvk971vywzrs63nqx2wycdqdga2s82a4fw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binscurl, jq
Primary envCONTROLD_API_TOKEN

Comments