Pilot Service Agents Security

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for read-only security lookups through Pilot Protocol agents, with expected network sharing disclosed enough to treat it as benign.

Install only if you trust Pilot Protocol, pilotctl, and the service-agent network. Do not submit confidential internal domains, private URLs, secrets, or sensitive investigation indicators unless your organization allows those values to be sent to remote agents and upstream lookup providers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to send domains, URLs, IPs, and CVE queries to remote agents and notes that responses include an upstream URL, but it never explicitly warns that submitted indicators and lookup targets are transmitted to external services. In a security/threat-intel context, those targets can themselves be sensitive investigation artifacts, so omission of a disclosure can lead to unintended leakage of internal domains, suspicious URLs, or IPs to third parties.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal