Skillv1.0.0

ClawScan security

Pilot Service Agents Sports · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 28, 2026, 5:43 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions align with its stated purpose (sports data via the Pilot Protocol); it is instruction-only, asks for no secrets, and does not install code.
Guidance: This skill is internally consistent with its stated purpose, but take these precautions before installing: 1) Verify you install pilotctl from an official source and that the Pilot Protocol daemon is trustworthy — the skill will query overlay peers and consume their responses. 2) Because it interacts with a peer network (network 9) and returns upstream URLs in responses, only run it in an environment where you accept network-connected data from those peers (or sandbox it). 3) No secrets are requested by the skill itself, but confirm any other required skills (pilot-protocol, pilot-service-agents) are legitimate. 4) The skill is instruction-only, so the static scanner had no code to analyze — review the pilotctl binary and the Pilot daemon setup if you need stronger assurance.

Purpose & Capability: okThe name/description (sports live scores & metadata) matches the declared requirements: pilotctl on PATH, pilot-protocol and pilot-service-agents skills, and a daemon joined to network 9. Those requirements are coherent for a skill that discovers and queries remote service agents on the Pilot overlay.
Instruction Scope: noteSKILL.md instructs only to use pilotctl to list agents, send /help, /data, and /summary commands and to read the inbox. It does require interacting with a running Pilot daemon and remote agents on overlay network 9 — this implies network calls to peers and consumption of their responses (including an upstream_url field). The instructions do not ask to read local files or environment variables beyond pilotctl usage.
Install Mechanism: okInstruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. Risk from installation is minimal; you still must obtain pilotctl and pilot-protocol separately and verify their provenance.
Credentials: okThe skill requests no environment variables or credentials. The daemon/network access it needs is proportional to querying overlay service agents for sports data.
Persistence & Privilege: okalways is false and there is no request to modify other skills or agent-wide config. The default capability for autonomous invocation is unchanged; that is expected for skills that can be user-invoked or invoked by the model when relevant.