ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pilot Certificate

v1.0.0

Issue and verify Ed25519-signed capability certificates for Pilot Protocol agents. Use this skill when: 1. You need to issue capability proofs or authorizati...

0· 16·0 current·0 all-time
byCalin Teodor@teoslayer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description state Ed25519-signed capability certificates, but the SKILL.md only writes unsigned JSON certificate files and never performs signing or signature verification. The declared requirements (pilotctl, pilot-protocol, openssl, jq) are plausible for the stated purpose, but the critical cryptographic steps are missing or undocumented.
!
Instruction Scope
Instructions instruct the agent to create JSON files under ~/.pilot/certificates, send them with pilotctl, and verify expiry/capabilities using jq/date. There is no step that references private keys, signing commands (e.g., explicit ed25519 sign), or signature verification. Verification only checks timestamps and presence of capabilities, not cryptographic integrity—this is scope creep versus the advertised crypto guarantees.
Install Mechanism
This is an instruction-only skill with no install spec or code files. No downloads or archive extraction occur, so install risk is low.
Credentials
The skill requests no environment variables or external credentials. It writes files to ~/.pilot which is consistent with a pilot client workflow. However, the lack of any private-key handling is notable given the stated need for signing.
Persistence & Privilege
No special persistence privileges are requested (always:false). The skill operates on user-home paths and requires the pilotctl daemon to be running; it does not request system-wide changes or other skills' config.
What to consider before installing
The skill claims cryptographic (Ed25519) issuance and verification but the provided runtime steps never sign certificates or verify signatures — they only create and transmit JSON files and check expiry/capability entries. Before installing or using this skill, ask the author how and where signing happens (which private key, what pilotctl command performs signing), and request explicit verification steps that validate signatures rather than just timestamps or JSON contents. Also: avoid issuing 'admin' capabilities with unsigned artifacts; test in an isolated environment; confirm pilotctl and pilot-protocol daemon behavior from the official documentation; and verify the authenticity of the pilotctl binary you run.

Like a lobster shell, security has layers — review code before you run it.

latestvk972p3rx7e8dhkqdvjffn5gxe184fjsr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspilotctl

Comments