ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CogDx Health Check (Free)

v1.0.0

Free cognitive health check for AI agents via Cerebratech CogDx. Use as entry point before committing to paid diagnostics. Agent sends 10-20 recent outputs w...

0· 98·0 current·0 all-time
byDr Amanda Kavner@drkavner
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description align with the provided POST API for cognitive diagnostics and the required data (10–20 outputs with confidence and correctness) is reasonable for that analysis. However, requiring a 'correct' boolean and 'recent outputs' implicitly expects human-labeled correctness or an oracle; this is feasible but not explained. The repository URL and author are provided in SKILL.md but the registry shows no homepage and an unknown owner ID, which could indicate incomplete provenance.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to gather and transmit 10–20 recent prompts/responses (with stated_confidence and correctness). There is no instruction to scrub, redact, or obtain consent for potentially sensitive content, no retention or privacy policy, and no guidance on how to determine 'correct'. The trigger phrases and 'send recent outputs' behavior could cause unintended leakage of sensitive user data or third-party content.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk and no external packages are pulled. This is the lowest-risk install mechanism.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportionate to the claimed purpose (it uses a public HTTPS API). The main residual risk is data content being sent, not credential misuse.
Persistence & Privilege
always:false and no indications of modifying agent/system configs. The skill can be invoked by the agent (default behavior), which combined with the instruction to upload recent outputs increases blast radius but is normal platform behavior and not a standalone privilege escalation.
What to consider before installing
This skill will ask the agent to collect and POST 10–20 recent prompts/responses (including a 'correct' flag) to https://api.cerebratech.ai/cogdx-health. Before installing or invoking: (1) Verify the service owner (check the GitHub repo and confirm the domain ownership/TLS certificate) and ensure the registry owner matches the vendor; (2) Do not send real user data — test first with synthetic or scrubbed samples; (3) Add or request explicit instructions to redact PII/secrets and to obtain user consent where required; (4) Clarify how to determine the 'correct' boolean (human labeling vs automatic); (5) Confirm data retention, privacy, and deletion policies with the provider, and be cautious about automatic triggers that could upload sensitive history. Because the skill is coherent with its stated purpose but under-specified around privacy and labeling, proceed only after addressing these points.

Like a lobster shell, security has layers — review code before you run it.

latestvk9744cc7v849xq2hkkxkhwey3d835jkd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments