Back to skill

Security audit

Cellcog

Security checks across malware telemetry and agentic risk

Overview

CellCog is a disclosed cloud AI integration with real file-sharing risks, but the reviewed artifact is coherent and does not show hidden or malicious behavior.

Install only if you are comfortable sending selected files and prompts to CellCog's cloud service and using CellCog credits. Do not wrap secrets, private keys, .env files, SSH keys, confidential documents, or files you do not intend to upload in SHOW_FILE tags; review generated downloads and full result messages before sharing logs or outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill description is extremely broad ('Any-to-any AI sub-agent' handling research, media, documents, code, and more), which increases the chance it will be invoked for ordinary user requests that were not specifically intended for this integration. Because the skill also supports uploading arbitrary local files via SHOW_FILE and generating local outputs, overbroad matching can lead to unnecessary exposure of local data to a third-party service or unintended delegation of sensitive tasks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.