Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pilot Sync
v1.0.0Bidirectional file synchronization between agents over the Pilot Protocol network. Use this skill when: 1. You need to keep directories synchronized between...
⭐ 0· 14·0 current·0 all-time
byCalin Teodor@teoslayer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the runtime instructions (sending files and manifests with pilotctl). However the registry metadata only declares pilotctl as a required binary while the SKILL.md examples also require jq, fswatch or inotifywait, md5sum, and stat. Those additional tools are necessary for the provided workflows but are not listed as required bins in the metadata, which is an inconsistency.
Instruction Scope
Instructions only perform file listing, hashing, timestamping, and sending via pilotctl—actions consistent with file synchronization. They will transmit file contents and metadata (filenames, md5s, mtimes) to remote Pilot nodes, which is expected but worth noting. Examples use a hardcoded remote ID and aggressive loops that will send every file in a directory without filtering or rate control. Also the manifest-building uses shell substitution that may break on filenames with newlines or special characters (and the example uses md5sum and a stat invocation that is OS-specific).
Install Mechanism
Instruction-only skill with no install spec and no code to write to disk; this has a low install risk. Nothing in the package performs downloads or extracts arbitrary archives.
Credentials
No environment variables or explicit credentials are requested, which is proportional. However pilotctl typically uses local configuration and keys (in user home or daemon-managed stores) to authenticate with the Pilot network; the skill does not declare or document what pilotctl auth keys or configs are required. The skill will therefore rely on existing pilotctl credentials (not declared) to transmit files—this implicit credential use should be made explicit.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and contains no install-time persistence. It runs as-invoked and does not claim elevated continuous presence.
What to consider before installing
This skill appears to do what it says (send files via pilotctl), but there are a few issues to check before using it:
- The SKILL.md expects jq, fswatch or inotifywait, md5sum, and stat, but only pilotctl is declared as required; ensure those binaries are present and trusted.
- The manifest and example loops will transmit filenames, checksums, and mtimes (and the file contents) to remote Pilot peers—confirm you trust the remote node(s) and understand what will be shared.
- The stat command shown (stat -f %m) is BSD/macOS-specific; on Linux you may need a different stat invocation. The example shell code also may break on filenames with newlines or special characters.
- pilotctl uses local credentials/config (not listed); verify what keys/config pilotctl will use and whether you consent to those credentials being able to send files.
- Consider adding filtering, error handling, and authentication/authorization checks (verify remote ID) before running the examples.
If the publisher updates the metadata to list all required binaries and documents pilotctl auth/config requirements, and the examples are made more robust/portable, the skill would be more trustworthy.Like a lobster shell, security has layers — review code before you run it.
latestvk97d4ht33qnm4re0f0agxtf7ps84gt5c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspilotctl