Cogmate Client
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The artifacts describe a coherent read-only Cogmate API client, but users should protect their access token and use trusted HTTPS endpoints.
Install only if you intend to let the agent query a Cogmate knowledge base. Use a trusted HTTPS Cogmate URL, provide the narrowest token scope that works, avoid exposing tokens in chats or logs, and review retrieved answers before relying on them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the token may be able to query or browse the associated Cogmate knowledge base, including private content if the token has full scope.
The skill requires a Cogmate access token, and a full-scope token can access private knowledge. This is purpose-aligned and disclosed, but it is still sensitive account authority.
All protected endpoints require `token` as **query parameter** ... `full` | Complete access: browse, ask, view private
Use the least-privileged token available, keep it secret, rotate or revoke it if exposed, and avoid sharing full-scope tokens unless necessary.
A leaked token could let someone else access the Cogmate knowledge base within that token's permissions.
The examples put the access token in the URL query string and show an HTTP URL. Query-string tokens can appear in logs or shell history, and HTTP transport can expose them on the network if not used only for local/trusted instances.
curl -X POST "http://{COGMATE_URL}/api/ask?token=YOUR_TOKEN"Prefer HTTPS endpoints, avoid pasting real tokens into shared logs or transcripts, and consider safer token handling where the Cogmate API supports it.
Private or inaccurate knowledge-base content may influence the agent's response if the user relies on it without review.
The skill brings retrieved personal-knowledge content into the agent's working context. That is the core purpose, but retrieved facts and answers should be treated as external data, not trusted instructions.
Access Cogmate personal knowledge systems via API. Use when querying someone's Cogmate/模拟世界 for knowledge retrieval, semantic search, or Q&A.
Verify important retrieved facts and do not treat knowledge-base text as instructions to override the user's intent or safety rules.
Users have less external provenance information for deciding whether the skill and service are trustworthy.
The skill's registry metadata does not identify a source repository or homepage. The included scripts are visible and no remote install is specified, so this is a provenance note rather than a concrete malicious-behavior concern.
Source: unknown; Homepage: none
Review the included files, verify the Cogmate endpoint and token issuer, and prefer skills with clear source provenance when available.