Docs Cog

Security checks across malware telemetry and agentic risk

Overview

Docs Cog is a coherent CellCog document-generation skill, but users should treat prompts, files, and API keys as sensitive because the service is external.

Install this only if you trust CellCog with the document content you provide. Keep CELLCOG_API_KEY in your environment or a secret manager, avoid placing secrets in prompts or generated documents, and review CellCog privacy, retention, and billing practices before using it for resumes, contracts, invoices, legal documents, or confidential reports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill instructs users to set CELLCOG_API_KEY but does not include any warning about secure secret handling, which can lead users to paste credentials into prompts, documents, logs, or shell history. In an agent ecosystem, unclear secret-handling guidance increases the risk of accidental credential disclosure to the model, third-party tools, or generated artifacts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal