Controld
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned for managing Control D, but it can make real DNS/account changes using your Control D API token.
This looks like a normal Control D API management skill. Before installing, verify the source, use a read-only token unless you need changes, restrict the token where possible, and carefully review any command that creates, updates, deletes, or changes DNS filtering behavior.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An incorrect or misunderstood command could delete profiles/devices or change blocking rules that affect DNS behavior.
The helper exposes write and delete API operations for Control D resources. This is aligned with the management purpose, but mistaken use could alter or remove DNS filtering configuration.
profiles_delete() { ... api DELETE "/profiles/$id" | jq '.' }Use read-only tokens for viewing tasks, and explicitly review write/delete requests before running them.
Anyone or any agent process with access to a write token could make changes to your Control D account.
The skill uses a bearer API token, and a write-scoped token can modify Control D account data. This is expected for the integration and is disclosed.
Auth: `Authorization: Bearer $CONTROLD_API_TOKEN` ... **Write** - View and modify data (create/modify/delete)
Prefer least-privilege/read-only tokens when possible, restrict tokens by IP as suggested, and avoid exposing the token in logs or shared shell history.
Users have less registry-level assurance about where the reviewed package came from.
The registry metadata does not identify a verified source, although the README provides a GitHub clone URL. This is a provenance note rather than evidence of malicious behavior.
Source: unknown
Install only from a trusted source and compare the files with the expected repository before use.