Skillv1.0.0

ClawScan security

Pilot Email Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 2:19 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (bridging Pilot messages to email) is plausible and mostly matches the instructions, but the runtime instructions allow sending arbitrary local files and configuring arbitrary webhooks while failing to declare required credentials, creating a risk of unintended data exfiltration and unclear credential handling.
Guidance: This skill appears to do what it says (bridge Pilot messages to SMTP/IMAP), but there are some gaps you should resolve before installing: - Credential handling: SKILL.md mentions 'email credentials' but the skill metadata declares no env vars. Ask the author how SMTP credentials are supplied and stored; never paste secrets into free-text fields. Prefer providing credentials via a clearly-scoped secret (an env var declared by the skill) rather than embedding them into webhooks. - Exfiltration risk: The send-file and publish examples allow reading arbitrary local files and forwarding them to a webhook/SMTP relay. Only allow the skill to access files from explicitly permitted directories and audit what pilotctl will transmit. If possible, test in an isolated environment first. - Webhook targets: Configure webhooks to trusted, authenticated relays (prefer localhost or internal relays) and avoid pointing them to third-party URLs unless you control them. The example uses both localhost and external URLs — prefer localhost/internal for testing. - pilotctl provenance: Ensure the pilotctl binary on PATH is the official, up-to-date binary from a trusted source (pilotprotocol.network) to avoid running a tampered client that could leak data. - Run safely: Try the skill in a sandbox or non-production agent, verify exactly which files and headers are sent, and confirm that authentication is required and enforced by your SMTP relay. If the author can clarify how credentials are handled and limit file-access behavior, the inconsistencies would be resolved; until then, treat the skill as a potential exfiltration vector and proceed cautiously.

Review Dimensions

Purpose & Capability: noteThe skill claims to bridge Pilot Protocol and email and correctly requires the pilotctl binary and a running daemon — that aligns with the stated purpose. However, SKILL.md also lists 'email credentials' as a dependency but the registry metadata declares no required environment variables or primary credential, creating an inconsistency about how SMTP authentication is provided.
Instruction Scope: concernThe instructions tell the agent to set webhooks to arbitrary URLs, publish messages that may be relayed externally, and use 'pilotctl --json send-file email-relay /path/to/report.pdf' — which implies reading local files and sending them through an external relay. This behavior is consistent with an email bridge but also enables exfiltration of arbitrary files if misused. The README also instructs launching an external 'python3 smtp_relay_server.py &' with no guidance about its security or authentication.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. That minimizes supply-chain risk (nothing downloaded or written by the skill itself). It does, however, rely on an external binary (pilotctl) already on PATH.
Credentials: concernThe SKILL.md says 'Requires ... email credentials' but the skill metadata declares no required environment variables or primary credential. There is no clear, declared mechanism for supplying SMTP auth, API keys, or where they should be stored, which is a meaningful omission for an email bridge that will authenticate to relays.
Persistence & Privilege: okThe skill is not always-enabled and uses default model-invocation behavior (agent may call it autonomously, which is normal). It does not request persistent system configuration or modify other skills' settings in the instructions provided.