Back to skill

Security audit

Pilot Dropbox

Security checks across malware telemetry and agentic risk

Overview

This shared-folder skill is understandable, but its example daemon lets peer messages automatically delete or send local files without enough containment or warning.

Install only for a dedicated, non-sensitive folder shared with peers you trust. Before running the daemon as written, add filename canonicalization that rejects slashes and '..', require peer authorization before honoring pull/delete events, and use backups, versioning, or trash behavior for removals.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The workflow accepts `file_removed` events from remote peers and directly executes `rm -f "$DROPBOX_DIR/$FILENAME"` with no authentication, authorization, origin validation, or path sanitization. In a multi-peer sync skill, remote deletion may be part of the feature set, but implementing it without trust controls or safety checks allows any peer able to publish events to delete local data inside the synchronized folder.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The `dropbox_pull` handler lets a remote peer request a filename and immediately sends that file back via `pilotctl --json send-file` without validating the requester, checking whether the file is intended for sharing, or constraining the requested path. This can expose local files from the shared directory and, if path traversal or special filenames are accepted upstream, may enable broader file exfiltration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented remove workflow performs destructive deletion and then propagates the removal event, but gives no warning that using the skill can permanently remove local files as part of synchronization. For a Dropbox-like shared folder, deletion semantics are contextually plausible, yet the absence of warnings, recovery guidance, or safeguards increases the chance of accidental data loss.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises automatic synchronization without warning users that remote events may modify or remove local files. In a sync tool this behavior is expected to some degree, but failing to disclose destructive side effects makes the skill more dangerous because operators may enable it on sensitive folders without understanding the risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.