Back to skill

Security audit

Image Cog

Security checks across malware telemetry and agentic risk

Overview

Image Cog is a documentation-only image-generation skill whose API key, external service use, and model providers are disclosed enough for a normal install review.

Install only if you trust CellCog and the cellcog Python package. Use a revocable API key, keep CELLCOG_API_KEY out of prompts and logs, and do not submit private photos, confidential brand assets, or regulated data unless CellCog's provider routing and data-handling terms are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires an external API key and clearly sends user prompts and likely uploaded/reference images to CellCog, but it does not disclose that user content leaves the local environment and may be processed by third-party providers such as Google, OpenAI, or Recraft. This creates a real privacy and data-handling risk because users may submit sensitive images, brand assets, or personal photos without informed consent about external transmission and downstream processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.