Back to skill

Security audit

Research Cog

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only research skill that uses CellCog as advertised and does not include hidden code or destructive instructions.

Install only if you trust CellCog and are comfortable sending research prompts to its service. Use a dedicated, revocable API key, monitor credit usage for long-running or high-depth modes, avoid submitting secrets or regulated data unless approved, and choose explicit destinations before asking for PDF or HTML reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to submit arbitrary research prompts to CellCog but does not clearly warn that prompts, attached data, and related task context may be transmitted to an external third-party service. In a research workflow, prompts may contain confidential business plans, due-diligence materials, investment theses, or regulated data, so the omission can cause unintended data disclosure.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill promotes HTML and PDF report generation without warning that these formats may create files or artifacts in the user's workspace. While this is not inherently dangerous, users may be surprised by generated files, overwritten outputs, or workspace clutter, especially in automated agent contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.