Data Cog
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: data-cog Version: 1.0.11 The data-cog skill bundle is a documentation-centric integration for the CellCog data analysis platform. The SKILL.md and _meta.json files contain instructions and examples for performing data science tasks like cleaning, visualization, and machine learning using the 'cellcog' Python library. There is no evidence of malicious code, data exfiltration, or prompt injection; the requirements (CELLCOG_API_KEY and the cellcog dependency) are consistent with the tool's stated purpose of providing remote or automated data analysis services.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your uploaded datasets may be processed by code running through the CellCog workflow, producing files, charts, models, or reports.
The skill discloses that CellCog executes Python-backed analysis on the user's data. This is central to the stated purpose, but it is still more powerful than a prompt-only helper.
“Full Python access for everything from data cleaning to ML model evaluation.” / “CellCog runs the code for you”
Only submit files you intend to analyze with CellCog, and review prompts carefully before starting agent-mode tasks.
Using the skill may consume CellCog account quota or paid credits, and anyone with the key could potentially act through that account.
The skill requires a service API key and the registry signals that the credential may authorize sensitive or paid actions. This is expected for an external analysis service, but it is account authority.
“Required env vars: CELLCOG_API_KEY” and capability signals include “can-make-purchases” and “requires-sensitive-credentials”
Use a dedicated, least-privileged CellCog API key if available, monitor usage, and avoid putting the key directly into prompts or shared files.
Security depends partly on the trusted CellCog package/service and the referenced SDK documentation, not just this SKILL.md file.
The instruction-only skill depends on an external SDK and references another skill for details. That is coherent with the integration, but the actual SDK/source is outside the provided artifact contents.
“dependencies: [cellcog]” and “read the **cellcog** skill for the full SDK reference”
Install the CellCog SDK only from the official source, verify the package name and publisher, and prefer pinned or reviewed versions where possible.
Task prompts, filenames, and analysis results may pass through CellCog and configured agent-provider channels.
The examples show prompts and task results moving through CellCog agent/provider workflows and an OpenClaw notification session. This is expected for the service, but users should recognize the data-sharing boundary.
“client.create_chat(... notify_session_key=\"agent:main:main\", ... chat_mode=\"agent\")” and “agent_provider=\"openclaw|cursor|claude-code|codex|...\"”
Avoid uploading confidential datasets unless CellCog's data-handling terms meet your needs, and keep task prompts limited to the data required for the analysis.