Audio Cog

Security checks across malware telemetry and agentic risk

Overview

Audio Cog is a coherent CellCog audio-generation integration, but it openly requires a CellCog API key and sends work to external/async voice services, including voice cloning.

Install this skill only if you trust CellCog and are comfortable sending prompts and audio-generation requests to its service. Use a controlled API key, monitor usage, avoid submitting secrets, and use cloned voices only with consent and clear disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI03: Identity and Privilege Abuse

Low

What this means

Using the skill may consume CellCog account resources or access account-associated audio-generation features.

Why it was flagged

The skill requires a CellCog API key, which is expected for the stated service integration but grants access to the user's CellCog account or billing context.

Skill content

env: [CELLCOG_API_KEY]

Recommendation

Use a dedicated or least-privileged CellCog API key if available, monitor usage, and avoid sharing the key in prompts or generated content.

ASI07: Insecure Inter-Agent Communication

Low

What this means

Prompt text, task labels, and audio-generation requests may leave the local agent and be processed by CellCog or its voice providers.

Why it was flagged

The documented workflow sends user prompts into a CellCog chat/agent task and reports back through a session key, indicating an external provider/agent communication flow.

Skill content

result = client.create_chat(
    prompt="[your task prompt]",
    notify_session_key="agent:main:main",
    task_label="my-task",
    chat_mode="agent",
)

Recommendation

Do not include secrets or private text unless you intend to send it to CellCog, and review CellCog's privacy and retention policies before use.

ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

If the environment installs or resolves this dependency, trust shifts to the external CellCog package/source.

Why it was flagged

The artifact relies on an external CellCog dependency, but no install spec or package pin is provided in the supplied artifacts.

Skill content

dependencies: [cellcog]

Recommendation

Install CellCog only from an official source, prefer pinned versions where possible, and review the companion CellCog skill/package if available.

ASI10: Rogue Agents

Low

What this means

An audio-generation job may continue running after the initial call and could consume service credits or produce output later.

Why it was flagged

The documented OpenClaw workflow intentionally starts an asynchronous task rather than blocking until completion.

Skill content

**OpenClaw (fire-and-forget):**

Recommendation

Use clear task labels, avoid launching duplicate long-running jobs, and check CellCog's status or cancellation controls for larger tasks.

ASI09: Human-Agent Trust Exploitation

Low

What this means

Generated audio could be mistaken for a real person's speech if shared without disclosure.

Why it was flagged

The skill explicitly supports cloned/avatar voices, a disclosed and purpose-aligned capability that can affect human trust if used without consent or labeling.

Skill content

When an avatar has a cloned voice, CellCog uses the MiniMax provider to generate speech that sounds like that person.

Recommendation

Use voice cloning only with appropriate consent and label synthetic or cloned-voice audio when sharing it.