Back to skill

Security audit

Pilot Webhook Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill transparently teaches users how to forward Pilot events to user-chosen webhooks, which carries data-sharing risk but matches its stated purpose.

Install this only if you intend Pilot event data to be sent to external webhook providers. Prefer HTTPS endpoints you control or trust, use selective source/topic subscriptions where possible, redact secrets or personal data before forwarding, and clear any global webhook when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill is explicitly designed to forward Pilot events to third-party webhook endpoints, but it does not include clear warnings about potential disclosure of sensitive event contents, metadata, or secrets to external services. In this context, the issue is a real security weakness because users may deploy the examples as-is and unintentionally exfiltrate operational or sensitive data outside the Pilot environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.