ClawHub

Pilot Scientific Research Team Setup

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only setup skill for a multi-agent research workflow, with external report publishing disclosed and aligned to the report-writer role.

Install this only if you trust the `pilotctl` and `clawhub` tools and the listed pilot-* skills. Before enabling the report role or webhook bridge, decide what research data may leave your environment, restrict destinations where possible, and manually review reports before publishing externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The report role includes outbound publication and webhook capabilities that materially expand the trust boundary from internal collaboration to external data egress. In a research pipeline, this can expose unpublished results, sensitive datasets, or derived findings if the report agent is misconfigured or triggered before review.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README normalizes publishing reports externally over port 443 without warning about confidentiality, approval, or data-governance controls. Because scientific workflows often handle unpublished, proprietary, or regulated material, omitting disclosure safeguards increases the risk of accidental external release.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example workflow culminates in publishing a final report externally and presents this as a normal success path without cautionary language or review checkpoints. Examples strongly influence operator behavior, so this can lead users to expose internal findings or sensitive research artifacts unintentionally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill configures a reporting agent that can send data externally via pilot-webhook-bridge and publish reports over port 443, but the top-level skill description does not warn users that research outputs may be transmitted outside the local agent mesh. In a research workflow, unpublished results, proprietary data, or sensitive findings could be unintentionally disclosed if the user enables this setup without clear notice.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal