Skillv1.0.0

ClawScan security

Pilot Supply Chain Orchestrator Setup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 6:46 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions match its stated purpose (setting up four coordinated Pilot agents); nothing requested is disproportionate or unrelated.
Guidance: This skill appears internally consistent for deploying a four-agent Pilot supply-chain setup. Before running: (1) verify pilotctl and clawhub are the genuine, trusted tools you expect (confirm vendor/source), (2) review the downstream pilot-* skills that will be installed (especially pilot-escrow) to see what credentials or network access they require, (3) inspect the manifest that will be written to ~/.pilot/setups/supply-chain-orchestrator.json and back up any existing files there, and (4) run the described commands manually in a controlled environment first (or on test servers) so you can confirm behavior and network handshakes before enabling in production.

Review Dimensions

Purpose & Capability: okThe name/description describe deploying inventory, routing, procurement, and compliance agents; the SKILL.md only requires pilotctl and clawhub (tools used to set hostnames, install skills, and perform handshakes), and instructs installing role-specific pilot-* skills — all coherent with the stated purpose.
Instruction Scope: okRuntime instructions are limited to installing listed pilot-* skills via clawhub, setting hostnames, writing a manifest to ~/.pilot/setups/supply-chain-orchestrator.json, and running pilotctl handshake/publish commands. The instructions do not ask the agent to read unrelated files, export environment variables, or contact unknown external endpoints.
Install Mechanism: okThis is an instruction-only skill with no install spec or code to download — lowest-risk installation mode. All commands rely on existing binaries (pilotctl, clawhub) rather than pulling arbitrary archives or executing remote code.
Credentials: noteThe skill itself requests no environment variables or credentials, which is appropriate for a setup recipe. Note: some of the pilot-* skills it installs (for example pilot-escrow) may later require external credentials (payment or escrow providers); those are outside this skill but worth reviewing before installing downstream components.
Persistence & Privilege: okalways is false and model invocation is default; the skill does not request permanent elevated presence nor modify other skills' configs beyond installing them and writing its own manifest in the user's home directory (~/.pilot), which is expected for a setup utility.