Skillv1.0.0

ClawScan security

Pilot Service Agents Government · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 28, 2026, 2:26 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with its stated purpose of querying government/civic data via the Pilot Protocol overlay; it is instruction-only, requests no secrets, and does not perform unexpected file or env access.
Guidance: This skill is coherent for querying government/civic data via the Pilot Protocol overlay, but exercise caution before use: 1) Install pilotctl only from an official/trusted source and ensure the pilot-protocol daemon you run is trustworthy. 2) Joining the overlay (network 9) means your queries go to remote peers—do not include private tokens, passwords, or sensitive PII in requests. 3) Verify agent contracts with '/help' before sending data and confirm any upstream 'premium' agents require separate credentials. 4) If you have privacy concerns, run the daemon in an isolated environment or test with non-sensitive queries first.

Purpose & Capability: okName/description map directly to the actions the SKILL.md instructs (discover/list agents, send '/data', '/help', '/summary' via pilotctl). Requiring pilotctl and a pilot-protocol daemon joined to the network is coherent for a skill that queries an overlay of service agents.
Instruction Scope: noteThe instructions require operating a local pilot-protocol daemon joined to network 9 and communicating with remote overlay agents (list-agents, sending messages, reading the inbox). This is within the claimed purpose but means queries are sent over an external overlay—users should avoid sending sensitive secrets in queries. The SKILL.md does not instruct reading local files or environment variables beyond using pilotctl.
Install Mechanism: okInstruction-only skill with no install spec or code files. No downloads or archive extraction; lowest install risk. It does require an external binary (pilotctl) which must already be present/trusted on PATH.
Credentials: okNo environment variables, credentials, or config paths are requested by the skill. The mention of 'premium gcp-civic-elections' is descriptive of an upstream agent and does not translate into required local credentials in this skill.
Persistence & Privilege: okalways is false and agent invocation is normal (not disabled). The skill does not request permanent presence or system-wide config changes. It simply instructs use of pilotctl to communicate with overlay agents.