Back to skill
Skillv1.0.0
ClawScan security
Pilot Service Agents Music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 3:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only adapter that uses the pilotctl CLI to query networked service agents (iTunes search and Lyrics.ovh); its requested tools and instructions are consistent with that purpose and it asks for no credentials or installs.
- Guidance
- This skill is coherent and low-risk as an instruction-only adapter that uses the pilotctl CLI to query network agents for iTunes metadata and lyrics. Before installing: ensure the pilotctl binary and pilot-protocol daemon you run come from a trusted source, and understand that joining the pilot overlay (network 9) exposes your node to peers — avoid sending sensitive or private data through these queries. Also verify the availability and trustworthiness of the listed agents (itunes-search, lyrics-ovh), and remember lyrics may not carry licensing guarantees.
Review Dimensions
- Purpose & Capability
- okName/description (music metadata + lyrics) match the SKILL.md: it instructs the agent to use pilotctl to query overlay agents named itunes-search and lyrics-ovh. The single required binary (pilotctl) and the dependency on a running pilot-protocol daemon are coherent with the stated purpose.
- Instruction Scope
- okSKILL.md only instructs running pilotctl send-message/inbox commands and reading agent contracts/results. It does not ask to read unrelated files, environment variables, or exfiltrate data to unknown endpoints. It explicitly focuses on metadata/lyrics (no streaming/download).
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest-risk category. It assumes pilotctl is already present on PATH; there is no download-from-URL or archive extraction.
- Credentials
- okThe skill requests no environment variables or credentials. Requiring access to a pilot-protocol daemon and the overlay network is proportional to its function, though it does imply network participation (see user guidance).
- Persistence & Privilege
- okNo always:true or special persistence requested. The skill is user-invocable and may be autonomously invoked by the agent (platform default), which is normal for skills of this type.