ClawHub

Pod Cog

Security checks across malware telemetry and agentic risk

Overview

Pod Cog is a disclosed CellCog podcast-production helper, with the main consideration that podcast prompts and content are processed through CellCog using a CellCog API key.

Install this only if you trust CellCog and are comfortable sending podcast prompts, scripts, guest research, show notes, and production requests to that service. Use an appropriate API key, monitor account usage for long-running audio jobs, and avoid submitting confidential or sensitive material unless CellCog's data handling terms are acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill gives broad usage guidance and encourages reading another skill/SDK reference first, but it does not define clear boundaries for when the skill should or should not be invoked. In an agent setting, this can cause over-triggering and accidental use for loosely related requests, increasing the chance that user content is sent to the external CellCog service without clear necessity or consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to submit prompts, scripts, guest research topics, show notes, and potentially full podcast content to CellCog, but it does not clearly warn that this material will be transmitted to an external third-party service. Because podcast workflows may include unpublished scripts, guest details, business strategy, or other sensitive material, this omission creates a real data exposure and consent risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal