ClawHub

Pilot Translation Pipeline Setup

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only setup skill for a multi-agent translation pipeline, with the network and external publishing behavior disclosed and aligned with its stated purpose.

Before installing, confirm pilotctl and clawhub are trusted, inspect the exact pilot-* skills being installed, use trusted handshakes only, and configure external webhook destinations carefully. Do not route confidential or regulated content through the pipeline unless your privacy, redaction, and audit controls are in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly states that approved translations are published to external systems, but it does not warn users that potentially sensitive content may leave the trusted environment. In a translation pipeline, content often contains proprietary, regulated, or personal data, so omission of egress warnings can lead to unintentional data disclosure and compliance violations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly configures the reviewer role to send approved translations to an external destination over a webhook, but it does not instruct the operator to obtain consent, validate the destination, classify the data, or consider privacy/compliance implications. In a translation pipeline, content may include confidential, regulated, or proprietary text, so undocumented outbound transmission materially increases data-exfiltration and privacy risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal