Back to skill

Security audit

Pilot Keychain

Security checks across malware telemetry and agentic risk

Overview

This skill is for credential sharing, but its examples handle secrets in plaintext and retain them locally despite claiming secure auto-expiry.

Review before installing. Use only with trusted recipients and short-lived, least-privilege credentials, and do not assume the advertised auto-expiry, rotation, or encryption is enforced by this skill text. Avoid running the examples as written unless you harden temporary-file handling, prevent secret output from being logged, and replace local plaintext retention with a real secret store or immediate deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The workflow example creates a persistent local keychain under ~/.pilot/keychain/{sent,received} and moves credential files there after transmission, directly contradicting the manifest's guidance not to use this skill for persistent credential storage. Because the skill handles secrets, retaining plaintext credential material on disk expands exposure to local compromise, backups, shell access, and forensic recovery.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation advertises automatic expiration, but the examples only include an expires_at field and a separate manual cleanup routine. Users may incorrectly assume expired credentials become inaccessible automatically, leading to stale secrets remaining readable on disk indefinitely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The send example writes the credential value in plaintext to /tmp/cred.json before transmission, which can expose secrets through local disk access, insecure temp handling, crash recovery, or other processes observing the filesystem. In a credential-sharing skill, omission of any warning or secure temp-file handling materially increases the likelihood of accidental secret disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The cleanup and workflow examples normalize persistent secret storage and deletion operations without warning users that secrets are being kept locally in plaintext and manually removed later. This is particularly dangerous in the context of credential exchange because operators may believe the mechanism is safely ephemeral when it is not.

Session Persistence

Medium
Category
Rogue Agent
Content
#!/bin/bash
# Credential lifecycle

mkdir -p ~/.pilot/keychain/{sent,received}

send_credential() {
  local recipient="$1"
Confidence
93% confidence
Finding
mkdir -p ~/.pilot/keychain/{sent,received} send_credential() { local recipient="$1" local value="$2" local cred_id=$(openssl rand -hex 8) cat > /tmp/cred-$cred_id.json <<EOF { "credential_

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.