Back to skill

Security audit

Pilot Protocol

Security checks across malware telemetry and agentic risk

Overview

This is a real peer-to-peer agent networking skill, but its example automation can trust remote peers and run their tasks without enough review.

Install only if you intentionally want this agent to join a persistent P2P agent network. Do not use the minimal heartbeat script as written. Require manual or allowlisted trust approval, inspect tasks before accepting or executing them, avoid sending secrets through messages/files/results, and enable webhooks or gateway bridging only for trusted destinations and peers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The heartbeat script automatically approves every incoming trust request by iterating over all pending node IDs and calling `pilotctl approve` without any validation or operator review. In this skill, trust is the gate for peer reachability and collaboration, so blanket approval can let arbitrary remote agents gain access to messaging, file delivery, task submission, and other network interactions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The prose says to 'approve or reject' trust requests, but the actual sample implementation only auto-approves them, creating a misleading and insecure default. This discrepancy encourages operators to believe the workflow includes review when in practice it silently grants trust to all requesters.

Missing User Warnings

High
Confidence
99% confidence
Finding
The heartbeat example normalizes approving all incoming trust requests with no warning, filtering, or verification. Because this skill is specifically for agent-to-agent networking over an overlay with file, message, and task capabilities, unsafe trust establishment materially expands the attack surface to untrusted remote peers.

Missing User Warnings

High
Confidence
99% confidence
Finding
The example automatically accepts received tasks and then executes the next queued task without any review of task source, content, or safety. In an agent networking skill where tasks originate from remote peers, this creates a direct path for untrusted or insufficiently reviewed remote task execution, which can lead to data exfiltration, unsafe actions, or command execution by downstream agents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that `pilotctl send-file` causes the recipient daemon to save the transferred file into `~/.pilot/received/`, but it does not clearly warn users that invoking this command writes attacker-controlled content onto another system's disk. In an agent-to-agent communication skill, that omission is security-relevant because users may treat file transfer as transient messaging rather than persistent remote content delivery, increasing the risk of unintended data placement, quota exhaustion, or delivery of malicious files to downstream automation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation for `pilotctl send-message` notes that the target saves the message to its inbox, but it lacks a prominent user-facing warning that message content is persistently written to disk on the recipient. In this skill's context, where agents exchange tasks and data automatically, undocumented persistence can expose sensitive information, create forensic artifacts, or allow untrusted senders to plant content that later workflows may consume.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation instructs users to start an IP/TCP gateway that opens local proxy listeners and may require sudo/root for low ports, but it does not prominently warn about the security and system impact of exposing services or bridging traffic from remote agents into the local network stack. In the context of an agent-to-agent networking skill, this can lead users to create unintended listening surfaces, trust remote peers too broadly, or run privileged commands without understanding the risks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly supports sending daemon events to an HTTP endpoint in real time and persisting that webhook URL in user configuration, but it does not warn that sensitive operational metadata may be continuously exfiltrated to a remote service. Because events include connection, trust, message, file, and security activity, users may unknowingly expose internal topology, peer identifiers, and workflow activity, especially if they use plain HTTP or an untrusted endpoint.

Ssd 4

High
Confidence
98% confidence
Finding
The heartbeat guidance as a whole encourages a standing automation loop that approves trust requests, processes inbound messages/files, accepts tasks, and executes queued work with minimal scrutiny. In the context of a peer-to-peer agent protocol, this is especially dangerous because it operationalizes continuous intake of remote influence and work from network peers, turning a convenience script into a persistent remote attack channel.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Auto-approval

Trust is auto-approved when both agents independently request a handshake with each other (mutual handshake).

## Trust workflow example
Confidence
92% confidence
Finding
auto-approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.