ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cogmate Client

v1.0.1

Access and query Cogmate personal knowledge systems for knowledge retrieval, semantic search, and Q&A using a valid CogNexus access token.

0· 188·0 current·0 all-time
by@maxiiwang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (querying Cogmate personal knowledge systems) matches the provided SKILL.md, reference docs, and the two helper scripts which perform POST /api/ask and GET /api/visual/facts. There are no unrelated requirements (no cloud creds, no system binaries).
Instruction Scope
Runtime instructions and scripts only call the documented Cogmate endpoints using a supplied URL and token. They do not read local files, access unrelated environment variables, or send data to third-party endpoints. The only minor concern is that tokens are passed as URL query parameters (per API design), which can leak via logs—this is a security/design note, not evidence of scope creep.
Install Mechanism
No install specification (instruction-only). The repo contains two small shell scripts; nothing is downloaded or installed automatically and no archives or remote installers are used.
Credentials
The skill requests no environment variables or primary credentials in the registry metadata; tokens are expected to be provided by the caller as arguments. The credential needs (a CogNexus/Cogmate token) are proportional to the stated functionality.
Persistence & Privilege
Skill does not request persistent/always-on privileges, does not modify other skills or system settings, and uses standard agent-invocable defaults. No elevated system presence is requested.
Assessment
This skill is a simple client that needs a Cogmate endpoint URL and an access token you provide. Before installing/using: (1) confirm the COGMATE_URL you supply is trustworthy and use HTTPS to avoid token interception; (2) prefer supplying tokens via secure means rather than embedding them in shared command history (tokens in URL query params can appear in logs and browser history); (3) verify token scope/least-privilege (use qa_public or browse_public if full access isn't required); (4) review the two small scripts (they are plain curl+python JSON parsing) before running. The repository links in the README contain inconsistent example domains—double-check the real CogNexus/Cogmate documentation from the instance owner before obtaining tokens.

Like a lobster shell, security has layers — review code before you run it.

latestvk972x6zs7xmhsyd2hjq0rnchth82x1zn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments