Pilot Role Assign
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only swarm-management skill is coherent, but it can send role-assignment messages to agents, so users should run it only in a trusted swarm.
Before installing or using it, make sure pilotctl, the Pilot Protocol daemon, jq, and base64 are available. Use the commands only in a trusted swarm, verify the target agents and registry, and review bulk role assignments before sending them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, agents in the swarm could receive incorrect roles and coordinate work incorrectly.
The skill permits Bash and documents commands that send role-assignment messages to agents. This is expected for role management, but running it against the wrong address or swarm could misconfigure agents.
allowed-tools:\n - Bash\n...\npilotctl --json send-message "$AGENT_ADDRESS" \\n --data "{\"type\":\"role_assignment\",\"role\":\"$ROLE_NAME\"...}"Confirm the target swarm, agent addresses, and role names before sending assignments; consider adding a human confirmation step for bulk changes.
Stale or untrusted capability messages could lead to incorrect role assignments if the workflow is run without validation.
The workflow reads capability advertisements from the swarm inbox and uses them to send role messages to peers. The artifact does not describe sender verification or trust boundaries, although this inter-agent messaging is central to the skill's purpose.
CAPABILITIES=$(pilotctl --json inbox | jq '[.messages[] | select(.topic == "capabilities:'$SWARM_NAME'") | .payload]')\n...\npilotctl --json send-message "$AGENT_ADDR" \\n --data "{\"type\":\"role_assignment\",\"role\":\"$ROLE\"}" &Use this only with trusted Pilot Protocol peers and registries, and validate peer identities and capability data before assigning roles.