Pilt
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent read-only Pilt API connector, but it uses your Pilt API key to retrieve potentially sensitive fundraising data.
Before installing, confirm that you trust Pilt with this API-key-based access and that the key is stored securely. The documented actions appear read-only and purpose-aligned, but the returned fundraising data may be sensitive business information.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may query Pilt and receive account-specific fundraising information when the skill is used.
The skill uses curl to call an external API endpoint. This is disclosed, limited to the stated Pilt gateway, and aligned with the skill's purpose.
You can retrieve fundraising data from Pilt using curl. All requests go to a single endpoint ... POST https://pilt.ai/api/v1/gateway
Use the skill only with a Pilt API key you are comfortable granting for these read operations, and review responses before sharing them elsewhere.
Anyone or any agent process with access to the configured key could retrieve Pilt data available to that key.
The skill requires a personal Pilt API key and uses it for account-scoped access. This is expected for the integration, but the key is a sensitive credential.
Every request must include ... `x-pilt-api-key: $PILT_API_KEY` ... Store your Pilt API key so it is available as the `PILT_API_KEY` environment variable.
Store the key securely, avoid committing it to files or chat history, use the least-privileged key Pilt supports, and rotate it if exposed.