Skillv1.0.0

ClawScan security

Pilot Auto Trust · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 10:14 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior matches its description (auto-approving Pilot Protocol peers) but there are inconsistencies and operational risks (undeclared dependency on jq and broad auto-approve commands) that warrant caution before installing.
Guidance: This skill appears to do what it says (auto-approving/rejecting Pilot Protocol peers using pilotctl), but take care before installing: 1) SKILL.md uses jq, xargs, and Bash but jq is not declared in the metadata—ensure jq is installed. 2) The provided commands perform bulk approve/reject operations based on simple filters; run them in dry-run mode first (inspect pilotctl --json pending output) and test patterns in a sandbox. 3) Add safety controls: require manual confirmation, add a dry-run flag, limit batch sizes, or log actions to an audit file. 4) Verify the pilotctl binary and pilot-protocol skill are from trusted sources. If the agent will invoke this autonomously, be especially cautious because it can grant network trust automatically; prefer manual invocation or restrict automation until policies and safeguards are proven. If you can, ask the publisher to update the skill metadata to list jq (and any other CLI tools) explicitly and to include safer example workflows (dry-run/confirm).

Review Dimensions

Purpose & Capability: noteName/description align with the instructions: the skill is explicitly for automated trust decisions for Pilot Protocol and the runtime commands call pilotctl. That capability legitimately requires pilotctl and the pilot-protocol integration. However, the SKILL.md also depends on jq (and common Unix tools like xargs), but jq is not listed in the declared required binaries in the openclaw metadata—an inconsistency.
Instruction Scope: noteAll runtime instructions are shell-based pilotctl commands to list, approve, and reject pending requests, which stay within the stated purpose. They do, however, perform bulk approve/reject operations driven by pattern-matching (hostname, polo_score, address). Those bulk actions are powerful and can cause broad policy changes if misapplied. The SKILL.md does not include safety guards (dry-run, confirmation prompts, rate limits) and assumes jq, xargs, and Bash are available.
Install Mechanism: okInstruction-only skill with no install spec or downloads — lowest install risk. Nothing is written to disk by an installer here.
Credentials: noteThe skill requests no environment variables or credentials, which is appropriate for local pilotctl usage. The only proportionality issue is the metadata omission of jq from required binaries even though the instructions rely on it; ensure runtime environment has jq and other CLI utilities available. Also confirm the pilot-protocol skill (which this requires) does not request unrelated credentials.
Persistence & Privilege: okThe skill is not forced-always and does not request persistent or system-wide modifications. Autonomous invocation is allowed (default), which matches the skill's purpose (automated trust decisions) but increases the potential impact of mistakes or misconfiguration.