Back to skill
Skillv1.0.0
ClawScan security
Pilot Service Agents Traffic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 5:43 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with its stated purpose (driving pilotctl to query service agents on the Pilot Protocol overlay); it asks for no unrelated credentials or installs and is instruction-only.
- Guidance
- This skill is internally consistent: it simply automates pilotctl interactions with Pilot Protocol service agents. Before installing, confirm you trust the pilotctl binary and the Pilot Protocol network/daemon you will join (network 9), since agent queries will cause network traffic and may surface upstream URLs from third-party operators. Because the skill runs pilotctl commands, ensure your local pilotctl/daemon are correctly configured and do not contain sensitive credentials you wouldn't want used for outbound agent queries. Finally, verify the Pilot Protocol homepage or project sources if you need additional assurance about the network and agents it exposes.
Review Dimensions
- Purpose & Capability
- okName/description match the requested tooling: the skill documents using pilotctl and a Pilot Protocol daemon to discover and query traffic/bikeshare agents. Requiring pilotctl and a daemon joined to network 9 is appropriate for this stated purpose.
- Instruction Scope
- okSKILL.md only instructs running pilotctl commands (send-message, inbox) against named agents and reading their responses. It does not instruct reading unrelated files, accessing environment variables, or contacting endpoints outside the Pilot Protocol agents, so the instruction scope stays within the advertised function.
- Install Mechanism
- okNo install spec or code files are present (instruction-only). This minimizes disk-write/execute risk; the only runtime dependency is an existing pilotctl binary and a running daemon.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. That aligns with the described functionality, which relies on an already-configured pilotctl/daemon rather than new secrets.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request persistent privileges or modifications to other skills or system-wide settings.