Security audit

Pilot Discord Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Discord-to-Pilot bridge, with ordinary webhook and daemon risks that users should manage carefully.

Install only if you intend to connect Pilot Protocol with Discord. Store the Discord webhook in an environment variable or secret manager, rotate it if exposed, inspect any external discord_relay.py before running it, restrict webhook and bot permissions to the needed channel, and treat inbound Discord messages as untrusted input.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to configure a Discord webhook URL directly, but does not warn that the URL is effectively a bearer secret that grants message-posting capability to the target channel. Exposing it in shell history, logs, screenshots, or shared configs can let unauthorized parties spam channels, impersonate notifications, or abuse the integration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal