ClawHub

Image Cog

Security checks across static analysis, malware telemetry, and agentic risk

Overview

Image Cog appears coherent for CellCog-powered image generation, with the main user considerations being its API key use and transmission of prompts or reference images to external AI services.

Before installing, verify that you trust CellCog and the CellCog SDK, use a dedicated API key where possible, and do not submit private photos, confidential brand assets, or sensitive prompts unless you are comfortable with CellCog and its downstream AI providers processing them.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Anyone using the skill must provide a service credential that could authorize paid or account-linked image-generation requests.

Why it was flagged

The skill requires a CellCog API key, which is expected for a CellCog-backed service but still grants access to the user's CellCog account or billing context.

Skill content
requires:
      bins: [python3]
      env: [CELLCOG_API_KEY]
Recommendation

Use a dedicated CellCog API key if possible, keep it out of prompts and logs, and revoke or rotate it if no longer needed.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Prompts, uploaded reference images, brand assets, or personal photos may leave the local environment for processing by CellCog and its model providers.

Why it was flagged

The skill supports sending user-provided prompts and reference images to CellCog, and CellCog may route work to downstream model providers.

Skill content
Use existing images as references for style, character, or composition ... CellCog's agents intelligently route to other models when the task calls for it
Recommendation

Avoid submitting confidential or sensitive images unless CellCog's privacy, retention, and provider-routing terms are acceptable.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

The safety of actual API calls depends on the installed CellCog SDK/package, not on code included in this instruction-only skill.

Why it was flagged

The skill delegates execution to the external CellCog dependency; this is purpose-aligned, but users depend on that package's provenance and behavior.

Skill content
dependencies: [cellcog]
...
from cellcog import CellCogClient
Recommendation

Install CellCog only from a trusted source and keep it updated or pinned according to your normal dependency-management practices.