Cellcog
PassAudited by ClawScan on May 1, 2026.
Overview
CellCog is a broad external AI-service integration that clearly discloses API-key use, file uploads, SDK installation, and background completion handling.
Before installing, confirm you are comfortable using the CellCog cloud service, providing a CellCog API key, installing the CellCog Python SDK, and uploading only the files you intentionally tag for processing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Files placed in SHOW_FILE tags may leave the local environment and be processed by CellCog.
The skill explicitly sends user-selected local files to an external AI service; it also gives appropriate warning not to upload secrets.
Anything inside a `<SHOW_FILE>` tag is uploaded to CellCog. Don't wrap credentials, private keys, `.env` files, SSH keys, or other sensitive material in SHOW_FILE tags
Only tag files you intend to share with CellCog, and avoid credentials, private keys, environment files, or confidential material unless you are comfortable uploading it.
The agent can submit tasks using the configured CellCog account and may consume CellCog credits.
The integration requires a CellCog API key, which is expected for the service but grants account-linked access.
Set `CELLCOG_API_KEY` — the SDK picks it up automatically
Use a dedicated or least-privilege API key if available, monitor credit usage, and rotate the key if it is exposed.
Installing the SDK runs third-party package code from PyPI in the user’s environment.
The skill relies on an external PyPI package installed by the user; this is purpose-aligned but not pinned in the instruction.
If import fails, install the official CellCog Python SDK: ```bash pip install -U cellcog ```
Install from the stated official package source, review the package if required by your environment, and consider pinning a version for reproducible installs.
For OpenClaw fire-and-forget tasks, results may arrive later through a background listener rather than during the original request.
The skill describes a background completion mechanism; it is disclosed and appears tied to task completion.
Returns immediately. A background daemon monitors via WebSocket and delivers results to your session when done.
Use this mode only when delayed task completion is desired, and keep track of which tasks were started.