ClawHub

Pilot Video Production Pipeline Setup

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed setup helper for a multi-agent video production workflow, with expected persistence and trust setup that users should review before running.

Before installing, confirm you trust pilotctl, clawhub, and the publisher. Review each downstream pilot-* skill before allowing the install commands, especially webhook, Slack, metrics, dataset, and archive skills. Only handshake with verified agents you control, and review or delete ~/.pilot/setups/video-production-pipeline.json if the setup is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs operators that mutual handshakes result in trust being auto-approved with no manual review, but it does not warn about the security implications of establishing persistent cross-agent trust. In a multi-agent pipeline that moves content and metadata between hosts, this can normalize over-broad trust relationships and make it easier for a misconfigured or compromised agent to exchange data or trigger workflows without sufficient scrutiny.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to persist configuration to disk and to configure a distributor role that can send publish notifications to external platforms, but it does not require an explicit user confirmation or warn about privacy and data-sharing consequences. In this context, scripts, asset URLs, metrics, and publication events may be transmitted or stored beyond the current session, creating a meaningful risk of unintended disclosure or unauthorized external actions.

Session Persistence

Medium
Category
Rogue Agent
Content
pilotctl --json set-hostname <prefix>-<role>
```

**Step 4:** Write the setup manifest:
```bash
mkdir -p ~/.pilot/setups
cat > ~/.pilot/setups/video-production-pipeline.json << 'MANIFEST'
Confidence
91% confidence
Finding
Write the setup manifest: ```bash mkdir -p ~/.pilot/setups cat > ~/.pilot

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal