Dash Cog
Security checks across malware telemetry and agentic risk
Overview
Dash Cog is a coherent CellCog-powered dashboard generator, but users should notice that it uses an API key and may send prompts or uploaded data to an external agent service.
This skill appears purpose-aligned and not malicious based on the provided artifacts. Before installing, make sure you trust CellCog, protect your CELLCOG_API_KEY, and avoid uploading confidential, regulated, or secret data unless your organization approves CellCog for that use.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill requires handling a sensitive API key.
The skill requires a CellCog API key, giving the workflow access to a user's CellCog account or quota. This is expected for the advertised CellCog integration.
requires:\n bins: [python3]\n env: [CELLCOG_API_KEY]
Store the API key securely, avoid pasting it into prompts, and rotate or revoke it if you suspect exposure.
Prompts, uploaded CSV/JSON/Excel data, and business context may leave the local environment for CellCog processing.
The documented workflow sends the user's task prompt to CellCog's chat API. The same document also describes file uploads and agent/agent-team modes, so user-provided dashboard data may be processed by an external service.
result = client.create_chat(\n prompt="[your task prompt]", ...\n chat_mode="agent",\n)
Only send data you are allowed to share with CellCog, remove secrets or regulated personal data when possible, and review CellCog's data-handling terms before uploading sensitive business files.
The safety and behavior of the workflow also depend on the referenced CellCog component.
The skill relies on a separate CellCog dependency or skill that is not included in the provided artifact contents. This is not suspicious by itself, but it means important behavior may be defined outside this single SKILL.md.
dependencies: [cellcog]\n...\nFor your first CellCog task in a session, read the **cellcog** skill for the full SDK reference
Install the CellCog dependency from the expected source and review its own instructions and permissions before using this skill with sensitive data.
A requested dashboard-generation job may continue running remotely until completion and may consume service quota.
The documented OpenClaw mode creates an asynchronous agent task and notifies the session when done. This is clearly disclosed and aligned with the skill purpose, but it is still autonomous remote work after the initial request.
**OpenClaw (fire-and-forget):**\n```python\nresult = client.create_chat(\n prompt="[your task prompt]",\n notify_session_key="agent:main:main",\n task_label="my-task",\n chat_mode="agent",\n)
Use fire-and-forget mode only for tasks you intend CellCog to complete, and monitor returned notifications or task labels for completion.