Back to skill

Security audit

Data Analysis Cellcog

Security checks across malware telemetry and agentic risk

Overview

This is a coherent CellCog data-analysis skill, but users should understand that uploaded datasets are processed by CellCog and may be transformed.

Install only if you are comfortable sending selected datasets and prompts to CellCog for processing. Do not upload secrets, regulated personal data, or confidential business data unless your organization approves CellCog for that use, and keep originals when asking for cleaned or transformed files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill repeatedly instructs users to upload files and states that CellCog 'runs the code for you,' but it does not clearly disclose that uploaded datasets are sent to a third-party remote service for processing. This is dangerous because users may provide sensitive CSVs, logs, HR, customer, or research data under the false assumption analysis happens locally, leading to unintended external data exposure and compliance/privacy violations.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The data cleaning and transformation section encourages the agent to fix formats, remove duplicates, fill missing values, and standardize fields, but it does not warn that returned datasets may be materially altered from the source. This can mislead users into trusting transformed outputs as faithful originals, causing silent data corruption, auditability problems, or downstream decisions based on modified data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.