ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pilot Reputation

v1.0.0

Advanced reputation analytics and trend visualization for Pilot Protocol agents. Use this skill when: 1. You need to track polo score trends over time for ag...

0· 0·0 current·0 all-time
byCalin Teodor@teoslayer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (reputation analytics for Pilot Protocol) align with the commands in SKILL.md which call pilotctl and store peer+score snapshots. However the SKILL.md lists dependencies (jq, bc, pilot-protocol) that are not reflected in the registry's required binaries field (which only lists pilotctl). This is a discrepancy a buyer should notice.
Instruction Scope
The instructions are limited to running pilotctl, jq, and basic shell utilities and storing JSON snapshots under ~/.pilot/reputation/data — all coherent with reputation tracking. Concerns: the scripts write unencrypted files into the user's home directory, run an infinite loop without safeguards, and the Query/Trend commands rely on an $AGENT environment variable that is never declared or explained.
Install Mechanism
Instruction-only skill (no install spec, no downloads, no code files). This is low-risk from an install perspective because nothing will be written to disk by the platform during install.
!
Credentials
The skill declares no required credentials or config paths, which is appropriate. But the SKILL.md expects the $AGENT variable to be set (used in jq queries) and lists dependencies (jq, bc) that are not declared in the registry metadata. Also the snapshots capture local agent address/hostname which might be sensitive if stored with loose permissions.
Persistence & Privilege
always:false and no daemonizing/install behavior in the skill metadata. The only persistence suggested is user-run scripts that write to ~/.pilot/reputation/data; the skill itself does not request elevated or permanent platform privileges.
What to consider before installing
This skill appears to do what it says (collect pilotctl JSON snapshots and compute simple trends), but check these before installing: 1) Make sure pilotctl, jq, and bc are actually available on the host — the registry only listed pilotctl, so jq/bc are a missing declaration. 2) The scripts write snapshots to ~/.pilot/reputation/data (unprotected JSON). Decide whether that data should be stored unencrypted and set file permissions appropriately. 3) The Query/Trend commands expect an $AGENT environment variable but the skill does not declare it — set it or modify the commands to specify the agent. 4) The continuous tracking example runs an infinite loop; if you run it, add logging, rotation, and a stop condition. 5) If you allow agents to invoke skills autonomously, be aware an agent with this skill could run the listed shell commands and create files in your home directory; that behavior is consistent with the skill's purpose but still merits operational caution. If you need me to, I can suggest a tightened SKILL.md that declares jq/bc, documents AGENT, and hardens file permissions and rotation.

Like a lobster shell, security has layers — review code before you run it.

latestvk978fjyat0nmzs3a4nm1akw9v984h251

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspilotctl

Comments