ClawHub

Controld

Security checks across malware telemetry and agentic risk

Overview

This is a real Control D management skill, but it gives broad account, billing, organization, DNS, and endpoint-deployment authority without enough guardrails.

Install only if you intend OpenClaw to administer a broad Control D account. Prefer read-only or tightly scoped tokens, restrict token IPs, verify the source, and require explicit human approval before any write, delete, billing, organization, provisioning, mobileconfig, or endpoint-deployment action. Do not run the remote installer commands unless you have verified the installer path and have approval for every affected device.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly relies on shell execution via numerous curl/jq command examples and helper scripts, yet the manifest does not declare permissions/capabilities accordingly. This creates a transparency and policy-enforcement gap: an agent or reviewer may underestimate the skill's ability to perform networked, state-changing operations on behalf of the user.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose focuses on DNS/profile management, but the documented behavior extends into organization administration, provisioning, billing, account inspection, and mobile configuration generation. This mismatch increases the chance of unexpected privileged actions being invoked under a benign-sounding skill description, weakening informed consent and safe routing.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill expands from DNS/profile management into business-organization administration and billing access, which are materially different trust domains. Users and orchestrators may invoke it expecting limited DNS changes, while it can access membership, org settings, and financial metadata.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest omits endpoint provisioning and remote deployment behavior, yet the skill includes mass-deployment workflows and installer execution commands. Hidden deployment capability is especially risky because it can affect many endpoints and crosses from configuration management into software installation/execution.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documented deployment commands download and execute a remote script directly from the network, which is a classic high-risk execution pattern. In an agent context, this resembles remote code execution on target endpoints and can lead to compromise, persistence, or large-scale unauthorized changes if misused.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are broad enough to match generic DNS-related requests, increasing the chance the skill activates outside intended Control D administration scenarios. Because the skill supports privileged, state-changing actions, accidental activation can lead to unintended API calls or risky suggestions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents destructive operations such as profile deletion without any confirmation, rollback, or warning guidance. In agent-driven environments, omission of confirmation steps increases the risk of accidental irreversible configuration loss or service disruption.

Missing User Warnings

High
Confidence
98% confidence
Finding
The remote deployment commands execute downloaded scripts without a safety warning, signature verification, or provenance checks. This is dangerous because compromise of the download path, endpoint, or invocation context could result in arbitrary code execution across managed systems.

External Transmission

Medium
Category
Data Exfiltration
Content
**Deployment Commands:**
```bash
# Windows (PowerShell as Admin)
(Invoke-WebRequest -Uri 'https://api.controld.com/dl/rmm' -UseBasicParsing).Content | Set-Content "$env:TEMP\ctrld_install.ps1"; Invoke-Expression "& '$env:TEMP\ctrld_install.ps1' 'CODE'"

# macOS/Linux
sh -c 'sh -c "$(curl -sSL https://api.controld.com/dl/rmm)" -s CODE'
Confidence
94% confidence
Finding
https://api.controld.com/

External Transmission

Medium
Category
Data Exfiltration
Content
(Invoke-WebRequest -Uri 'https://api.controld.com/dl/rmm' -UseBasicParsing).Content | Set-Content "$env:TEMP\ctrld_install.ps1"; Invoke-Expression "& '$env:TEMP\ctrld_install.ps1' 'CODE'"

# macOS/Linux
sh -c 'sh -c "$(curl -sSL https://api.controld.com/dl/rmm)" -s CODE'
```

---
Confidence
96% confidence
Finding
https://api.controld.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal