Back to skill

Security audit

Pilot Backup

Security checks across malware telemetry and agentic risk

Overview

This backup skill is purpose-aligned but needs Review because it can transmit sensitive agent state and restore/delete persistent files without enough validation or clear encryption support.

Install only if you understand and control the backup peer, and do not assume the archives are encrypted unless pilotctl documentation or an added encryption step proves it. Before using restore, verify the sender and archive contents in a temporary directory, then copy only approved files into $HOME/.pilot. Replace the rotation command with a safer reviewed cleanup flow that previews exactly which backup files will be removed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims backups are encrypted, but the documented workflow only creates a plain .tar.gz archive and transfers it without any visible encryption step. This can cause operators to back up sensitive agent state under a false assumption of confidentiality, exposing configuration and secrets to peers, intermediaries, or anyone with filesystem access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The restore command extracts an untrusted archive directly into the live agent directory, and the rotation command deletes files, both without warning or safety checks. In backup/restore context this is more dangerous because state files are sensitive and overwrite or deletion can corrupt configuration, destroy recoverability, or enable archive-based overwrite attacks if the source is malicious or compromised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.