Back to skill

Security audit

Pilot Review

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent reference-lookup helper that uses Pilot service agents over an existing network, with no evidence of hidden persistence, credential theft, destructive actions, or deceptive behavior.

Install only if you intend to use Pilot Protocol service agents and have a trusted pilotctl/daemon setup. Avoid sending secrets, private task details, or sensitive business context in lookup messages, because requests and responses pass through external agents on the Pilot network.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow example actively sends task identifiers and review messages to external peers via `pilotctl --json send-message`, but the skill provides no explicit user-facing warning that task metadata and review decisions are transmitted over the network. In a peer-review skill this network behavior is expected, yet the lack of disclosure can cause users to unintentionally expose sensitive task context or reviewer relationships to external systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.