Back to skill

Security audit

Pilot Sync

Security checks across malware telemetry and agentic risk

Overview

This skill openly syncs files to another agent, but its examples can continuously send directories and overpromise bidirectional conflict protection without enough safeguards.

Review before installing. Use this only with a dedicated non-sensitive sync folder, verify the Pilot Protocol peer ID, add exclusions for secrets and hidden files, and stop the watcher when finished. Do not rely on the provided examples for true bidirectional conflict-safe synchronization unless that logic is implemented elsewhere.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill includes ready-to-run examples for continuous directory watching, manifest generation, and automatic file transmission to a remote peer without any safeguards, scope restrictions, or warning about sensitive-data propagation. In this context, the danger is not a software memory-safety flaw but an unsafe operational pattern: users may unintentionally sync secrets, personal files, or metadata continuously to another agent, especially because the examples use broad directory paths and unattended loops.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.