Back to skill

Security audit

Fin Cog

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed CellCog finance-analysis helper, but users should be careful not to overshare sensitive personal financial details.

Install only if you are comfortable using CellCog with a CELLCOG_API_KEY for financial prompts. Avoid sending account numbers, SSNs, full tax documents, exact addresses, or unnecessary identifiers; use redacted or aggregated figures where possible, and treat outputs as research support rather than licensed investment, tax, or financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly invites users to submit highly sensitive financial and personal information such as portfolio allocations, income, savings, debt, tax details, and spending breakdowns, but it provides no privacy notice, minimization guidance, or warning that this data may be transmitted to a third-party service via the CellCog API. In a finance context, users are especially likely to disclose regulated or identity-linked data, increasing the risk of oversharing, data exposure, or inappropriate downstream retention.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.