Back to skill

Security audit

Think Cog

Security checks across malware telemetry and agentic risk

Overview

This is a documented CellCog brainstorming integration with expected third-party prompt sharing, but users should avoid sending sensitive information unless they trust the service.

Install only if you trust CellCog and are comfortable using a CellCog API key. Treat prompts, files, and follow-up messages as information shared with an external service, and redact credentials, customer data, regulated data, and confidential plans unless you have approval to share them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to send prompts and follow-up conversation to the external CellCog service, but it does not provide a clear, prominent warning that user content will leave the local agent environment. In a brainstorming skill, users are especially likely to share sensitive business, technical, strategic, or personal information during iterative back-and-forth, increasing the risk of unintended data disclosure to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.