ClawHub

Council Pilot

Security checks across malware telemetry and agentic risk

Overview

Council Pilot is coherent as an autonomous coding skill, but it can modify repositories and publish to GitHub without clear approval gates.

Install only if you intend to let an agent autonomously research online, edit a repository, run shell commands, and potentially publish a GitHub PR. Use a disposable branch or sandbox, review all generated files and build logs for secrets or private details, and require manual confirmation before any git push or PR creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s declared role is to read local dossiers and fill profile artifacts, but the instructions explicitly direct the agent to fetch live content from source URLs when accessible. That expands the trust boundary from curated local inputs to arbitrary remote content, increasing prompt-injection, untrusted-content ingestion, and reproducibility risks. In this skill context, that is more dangerous because the output is written into expert profiles that may be reused downstream as trusted knowledge.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes general Bash capability even though its core task is structured reading, extraction, and writing, with only a narrow validation command described. Unnecessary shell access increases the blast radius of prompt injection or agent misuse by enabling arbitrary command execution, filesystem manipulation, or network-enabled tooling beyond the stated task. The context makes this worse because the skill already processes untrusted source content and writes outputs used by other agents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly says the skill will autonomously build, iterate, and then submit a PR, but it does not clearly warn that this can modify a local repository and perform remote GitHub actions. In an autonomous coding skill, repo writes, branch pushes, and PR creation are sensitive side effects that should require explicit user awareness and confirmation, otherwise users may trigger unintended code changes or external submissions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrase set is broad enough to activate on ordinary software/project requests, which can cause the skill to engage an unnecessarily autonomous workflow with file, shell, and repo-modifying behavior. In this context, overbroad activation is more dangerous because the skill is positioned to generate code, persist state, and eventually publish changes.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill describes an end-to-end autonomous pipeline that writes files, runs shell commands, modifies repositories, and submits results to GitHub, but does not present a prominent user-facing warning or consent checkpoint before those actions. In an agent environment, this can lead to unintended local modification and external publication of sensitive or unreviewed code.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Build phase instructs the agent to generate and write code directly into a target repository path without a mandatory review or confirmation step. This is dangerous because it can overwrite files, introduce insecure code, or modify the wrong repository when the trigger fires unexpectedly or inputs are ambiguous.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Submission phase explicitly instructs pushing a branch and creating a GitHub pull request, which is a remote side effect with potential data-exfiltration and supply-chain implications. Without an explicit publication warning and confirmation gate, the skill could publish sensitive code, secrets, or misleading artifacts to an external service.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill metadata advertises broad autonomous behavior ('autonomously drive a project to production maturity' and iterate until '100/100') without meaningful trigger constraints, safety boundaries, or explicit requirements for user confirmation before consequential actions. In this context, the skill is especially risky because the overall capability includes expert distillation, code generation, debugging, adversarial iteration, and eventual submission to GitHub, which can enable over-broad invocation and unsafe autonomous execution on ambiguous user requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented log format captures full command strings plus raw stdout and stderr for every build/debug stage. In an autonomous build system, those streams can easily include secrets, environment values, repository paths, tokens echoed by tools, stack traces with sensitive data, or proprietary source snippets, creating a persistent leakage channel via build logs.

Session Persistence

Medium
Category
Rogue Agent
Content
| Max iterations (default: 10) | Pause, generate report, print state |
| Build failure (3 retries) | Log failure, feed to gap analyst |
| Score regression (>10 points) | Pause, revert to previous artifact |
| Context window pressure | Write state to disk, compact, resume |

## Trust Model
Confidence
87% confidence
Finding
Write state to disk

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal