Back to skill
Skillv1.0.3
ClawScan security
Controld · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 1:25 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and requested credential (CONTROLD_API_TOKEN) are consistent with a Control D API management tool and do not ask for unrelated access.
- Guidance
- This skill appears to do only what it says: it issues authenticated requests to Control D's API. Before installing, ensure you supply an API token with the minimum required privileges (use a read token where possible), restrict token scope/IPs if the service supports that, and verify the token is for the correct Control D account. Also confirm the skill source or repository (the README points to a GitHub repo) if you want an upstream audit trail; treat any token you provide like a secret and avoid pasting it into shared chat/history.
Review Dimensions
- Purpose & Capability
- okName/description match the included SKILL.md and helper script; required tools (curl, jq) and the CONTROLD_API_TOKEN are exactly what an API management CLI would need. Endpoints target api.controld.com, which aligns with the stated purpose.
- Instruction Scope
- okSKILL.md and the shell script contain concrete curl commands that only call the Control D API and instruct the user to store or pass the API token. There are no instructions to read unrelated local files, system credentials, or to contact third-party endpoints outside the Control D API/homepage.
- Install Mechanism
- okThis is instruction-only with a small helper script included; there is no install spec that downloads or executes arbitrary remote code. No archives or unfamiliar URLs are used for installation in the provided files.
- Credentials
- okOnly the single primary credential CONTROLD_API_TOKEN is required and the script explicitly checks that variable. No other secrets or unrelated environment variables are requested or referenced.
- Persistence & Privilege
- okSkill is not always-enabled and does not attempt to modify other skills or system-wide settings. It merely provides runtime CLI calls against the Control D API.