ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CogDx Calibration Audit

v1.0.1

Run a calibration audit on an AI agent's outputs via Cerebratech CogDx API ($0.05 per call, credits accepted). Use when an agent's stated confidence doesn't...

0· 150·0 current·0 all-time
byDr Amanda Kavner@drkavner
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the instructions: the skill sends sample outputs + stated confidences to Cerebratech's calibration endpoint and returns calibration metrics. It does not request unrelated credentials, binaries, or system access.
Instruction Scope
Instructions are limited to calling the Cerebratech API endpoints and submitting sample_outputs (prompts, responses, stated_confidence, correct). This is expected for calibration. Note: sample_outputs may contain sensitive user data or PII — the skill sends those samples off-host to a third-party API.
Install Mechanism
No install spec or code is included (instruction-only), so nothing is written to disk or automatically installed. Low install risk.
Credentials
The skill declares no environment variables or credentials, which is proportionate. However, the x402 payment flow implies the agent (or operator) may need to produce an X-PAYMENT signature or otherwise use a wallet; the SKILL.md does not explain how to generate that signature or where signing keys are stored. Ensure signing keys are not exposed or auto-read by the agent.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. It does not request persistent presence or modify other skill configurations.
Assessment
This skill appears to do what it says: send labeled agent outputs to Cerebratech's calibration API for a paid statistical audit. Before installing or using it: 1) Verify the API domain (api.cerebratech.ai) and the GitHub repo/author claims to ensure legitimacy. 2) Avoid sending unredacted PII or secrets in sample_outputs — anonymize or synthetic-test first. 3) Clarify the x402 payment flow: find out how X-PAYMENT signatures are generated and where private keys/wallet signing happens; do not expose private keys to the skill or agent runtime. 4) Confirm cost/credit mechanics (cost per call, credit earning via /feedback) with Cerebratech's docs or support. 5) Test with the minimum required samples and non-sensitive data to validate behavior and responses before sending larger datasets.

Like a lobster shell, security has layers — review code before you run it.

latestvk97771884bnbwez7a7whepr21n8348az

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments