ClawHub

Pilot Energy Grid Optimizer Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent with its energy-grid setup purpose, but it gives live-looking device-control instructions for power equipment without enough safety, authorization, or containment guidance.

Install only if you understand the Pilot ecosystem and can test in a simulator or isolated staging network first. Review every downstream pilot-* skill, back up existing ~/.pilot configuration, verify peer identities, use authenticated/encrypted transport, and do not connect this workflow to real grid equipment without formal authorization, safety interlocks, audit logging, and a rollback plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to publish live dispatch and device-control messages to batteries and other equipment without any explicit safety warning, sandboxing guidance, or recommendation to use a test environment. In an energy-grid context, example commands can directly influence physical devices and power flows, so an operator may execute them against production systems and cause equipment stress, outages, unsafe load changes, or operational instability.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs writing a manifest to ~/.pilot/setups/energy-grid-optimizer.json without warning the user that this creates persistent state in their home directory and may overwrite an existing configuration. In an automation/setup context, undisclosed filesystem changes can cause accidental configuration loss or unintended reuse of stale settings across later sessions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill defines peer-to-peer transmission of operational grid telemetry and device-control commands but does not warn about confidentiality, integrity, or authenticity requirements. Because this includes dispatch-command and device-ack flows for energy infrastructure, missing privacy/integrity guidance increases the risk of data exposure, spoofed commands, and unsafe device actions if the transport or trust relationships are weak.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal