Pilot Backup
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The backup purpose is clear, but the restore workflow can trust and unpack a received peer archive directly into persistent agent state without verifying the sender or archive contents.
Only use this with a peer you explicitly trust and confirm. Before backing up, inspect which $HOME/.pilot JSON files will be included and whether they contain secrets. Before restoring, do not unpack a received archive directly into $HOME/.pilot; verify the sender, signature or hash, and archive contents, then restore from a staging directory with a current local backup available.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private agent configuration or state could be sent to the wrong peer if the workflow is run as written or without confirming the destination and included files.
The workflow archives local Pilot agent JSON configuration/state and sends it to a peer destination shown in the example, without requiring explicit user-provided peer selection or showing exclusions for sensitive state.
BACKUP_DEST="1:0001.AAAA.BBBB" ... tar czf "$BACKUP_FILE" "$HOME/.pilot"/*.json ... pilotctl --json send-file "$BACKUP_DEST" "$BACKUP_FILE"
Require the user to choose and confirm the backup peer, list the files before sending, exclude secrets where possible, and document what Pilot state may be included.
A stale, incorrect, or malicious peer-provided archive could overwrite or poison persistent agent configuration/state that may be reused in later sessions.
The restore flow takes the first received file and extracts it into the persistent Pilot state directory, with no verification of origin, freshness, signature, or archive paths.
BACKUP_FILE=$(pilotctl --json received | jq -r '.received[0].filename') tar xzf "$HOME/.pilot/received/$BACKUP_FILE" -C "$HOME/.pilot/"
Restore only from a verified peer and request ID, verify a signature or hash, inspect the archive contents, extract to a temporary staging directory first, and require explicit user approval before replacing state.
A file from another peer or an unrelated transfer could be mistaken for the requested backup and restored into the agent state directory.
The restore request names a backup peer, but the file selected for restore is simply the first received file and is not shown as being matched to that peer or request.
pilotctl --json send-message "$BACKUP_PEER" --data '{"type":"backup_request","date":"latest"}'
sleep 3
BACKUP_FILE=$(pilotctl --json received | jq -r '.received[0].filename')Filter received files by sender, request ID, timestamp, expected filename, and authenticated metadata before using them.
A normal-looking restore command could overwrite important local agent files or extract unexpected archive contents.
The skill uses raw Bash for a high-impact restore operation into the agent state directory, but the documented command lacks guardrails such as archive validation, dry-run listing, or confirmation.
allowed-tools: - Bash ... tar xzf "$HOME/.pilot/received/$BACKUP_FILE" -C "$HOME/.pilot/"
Add safer restore steps: validate paths, reject absolute or parent-directory entries, use a staging directory, show a diff/listing, and ask before applying changes.
The skill's real behavior depends on an external Pilot binary/daemon that the user must obtain and trust separately.
The reviewed artifact contains no code or install spec, so the safety of the required pilotctl binary and daemon is outside this scan.
Requires pilot-protocol skill and pilotctl binary on PATH. The daemon must be running (pilotctl daemon start).
Install pilotctl only from the official source, keep it updated, and verify its configuration before allowing backups or restores.
A user may assume all backup copies are encrypted when the local retained archive shown in the workflow may not be.
The description emphasizes encryption, but the visible workflow creates and locally stores a plain tar.gz archive; encryption may be provided by pilotctl for transport, but that is not shown for local backup storage.
Automated backup of agent configuration and state files to trusted peers with encryption and versioning. ... tar czf "$backup_file" "$HOME/.pilot"/*.json ... cp "$backup_file" "$BACKUP_STORAGE/"
Document exactly where encryption is applied, encrypt local retained backups if needed, and avoid implying at-rest encryption unless the workflow enforces it.