ClawHub

Pilot Competitor Intelligence Setup

Security checks across malware telemetry and agentic risk

Overview

This is a coherent setup guide for a competitive-intelligence agent network, with disclosed local configuration, peer messaging, and Slack/webhook alerting.

Before installing, verify the listed pilot-* dependency skills and the pilotctl/clawhub binaries. Use private, approved Slack channels and authenticated HTTPS webhooks, avoid sending confidential strategy details unnecessarily, and confirm the ~/.pilot manifest and hostname changes before applying them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly routes competitive intelligence to external Slack and webhook destinations but does not warn that these messages may contain sensitive business intelligence or require careful scoping of recipients and endpoints. In this skill’s context, the tracked data includes competitor monitoring, threat scores, recommendations, and pricing intelligence, so forwarding it outside the local agent system can cause unintended disclosure if channels, webhooks, or downstream integrations are misconfigured or broadly accessible.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to write persistent local configuration and to set up outbound reporting to Slack, webhooks, and external endpoints, but it does not require an explicit user warning or confirmation before those actions. This is dangerous because a user may invoke the skill expecting advisory setup guidance while the agent instead modifies local state and enables external transmission of potentially sensitive intelligence data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal