Back to skill

Security audit

Stock Analysis Cellcog

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent CellCog financial-analysis helper, but users should be careful with sensitive financial details and API-key handling.

Install only if you are comfortable sending financial prompts and any uploaded context to CellCog. Do not include SSNs, account numbers, brokerage credentials, tax IDs, or other unnecessary identifiers, and keep CELLCOG_API_KEY in an environment variable or secret manager rather than source files or prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages portfolio, tax, and personal-finance use cases that commonly involve highly sensitive financial data, but it does not warn users that their information may be sent to an external third-party service. This creates a real privacy and data-handling risk because users may disclose account balances, income, tax details, or holdings without informed consent or minimization guidance.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The setup instructions require a CELLCOG_API_KEY but provide no guidance on secure credential handling. Users may paste keys into prompts, commit them to repositories, or store them insecurely, increasing the chance of credential leakage and unauthorized API use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.