Security audit
Pilot S3 Bridge
Security checks across malware telemetry and agentic risk
Overview
This is a legitimate cloud-storage bridge skill, but its example shows a public long-running agent with cloud credentials and no documented access controls.
Install only if you understand and control the Pilot bridge environment. Use dedicated least-privilege cloud credentials, keep the daemon private unless public access is explicitly required, restrict buckets and prefixes, verify allowed senders, validate requested actions and paths, and stop the bridge when the task is complete.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
66/66 vendors flagged this skill as clean.
Static analysis
No suspicious patterns detected.
