ClawHub

Pilot Proposal Writer Setup

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed setup guide for a multi-agent proposal workflow, with a clear but sensitive external webhook submission path users should configure carefully.

Before installing, inspect the referenced Pilot bridge skills, verify `pilotctl` and `clawhub` come from trusted sources, and only configure webhook or Slack destinations you control. Test with non-sensitive proposal data first, and require a deliberate approval step before sending final proposals externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly describes final proposal submission to an external destination via webhook, but it does not warn users that proposal contents may leave the internal agent environment. In this skill context, proposals can contain sensitive commercial information such as pricing, timelines, client details, and compliance data, so silent or poorly disclosed external transmission increases the risk of unintended data exfiltration and compliance/privacy issues.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly configures the reviewer role to send a final proposal to an external destination via webhook, but it provides no warning, consent step, destination validation, or guidance on handling sensitive proposal contents. Because proposals commonly contain pricing, customer information, internal strategy, and other confidential data, this can lead to unintended exfiltration outside the controlled agent environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal