Back to skill

Security audit

Pilot Slack Bridge

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Slack/Pilot bridge, but its example creates an under-scoped Slack command interface that can expose daemon and peer information.

Review before installing. Use this only in a trusted Slack workspace, restrict inbound events to approved channels and users, avoid exposing daemon status or peer lists to chat by default, protect and rotate Slack webhook URLs, and inspect the external relay implementation before running the always-on bridge.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The example workflow turns a Slack bridge into a remote command surface by accepting Slack text commands and responding with daemon status and peer listings. That expands the skill from message transport into operational introspection, which can leak internal topology and service state to anyone able to post into the connected Slack path.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documented 'Process Slack commands' loop is not passive bridging; it instructs operators to execute behavior based on inbound Slack messages. In practice this creates a chat-driven control interface without any shown authentication, authorization, rate limiting, or origin verification, making misuse more dangerous in the context of an external messaging platform.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill shows how to configure a Slack webhook and publish data/events to Slack without warning that agent output and inbound event contents will leave the local environment and be sent to a third-party service. That omission increases the chance that operators forward sensitive operational data, credentials, or personal information to Slack unintentionally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.