Cellcog
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: cellcog Version: 2.0.15 The 'cellcog' skill (SKILL.md) provides an interface for an external AI service with high-risk capabilities, including the ability to upload any local file via absolute paths and download files to the local filesystem. While the documentation contains explicit warnings against sharing sensitive information like credentials or SSH keys, the broad file and network access are inherently risky. The mention of a background daemon for task monitoring and the use of future-dated metadata (April 2026) in `_meta.json` and `SKILL.md` are additional indicators that warrant a cautious classification despite the lack of clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Files placed in SHOW_FILE tags may leave the local environment and be processed by CellCog.
The skill explicitly sends user-selected local files to an external AI service; it also gives appropriate warning not to upload secrets.
Anything inside a `<SHOW_FILE>` tag is uploaded to CellCog. Don't wrap credentials, private keys, `.env` files, SSH keys, or other sensitive material in SHOW_FILE tags
Only tag files you intend to share with CellCog, and avoid credentials, private keys, environment files, or confidential material unless you are comfortable uploading it.
The agent can submit tasks using the configured CellCog account and may consume CellCog credits.
The integration requires a CellCog API key, which is expected for the service but grants account-linked access.
Set `CELLCOG_API_KEY` — the SDK picks it up automatically
Use a dedicated or least-privilege API key if available, monitor credit usage, and rotate the key if it is exposed.
Installing the SDK runs third-party package code from PyPI in the user’s environment.
The skill relies on an external PyPI package installed by the user; this is purpose-aligned but not pinned in the instruction.
If import fails, install the official CellCog Python SDK: ```bash pip install -U cellcog ```
Install from the stated official package source, review the package if required by your environment, and consider pinning a version for reproducible installs.
For OpenClaw fire-and-forget tasks, results may arrive later through a background listener rather than during the original request.
The skill describes a background completion mechanism; it is disclosed and appears tied to task completion.
Returns immediately. A background daemon monitors via WebSocket and delivers results to your session when done.
Use this mode only when delayed task completion is desired, and keep track of which tasks were started.