Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Fox Cellcog
v1.0.0#1 on DeepResearch Bench (Feb 2026). Any-to-Any AI for agents. Combines deep reasoning with all modalities through sophisticated multi-agent orchestration. R...
⭐ 0· 41·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a cloud-hosted multimodal AI (CellCog) and shows an SDK usage pattern (python client, CELLCOG_API_KEY). That capability justifies requiring an API key and a pip package. However the registry metadata at the top of the evaluation lists no required env vars while SKILL.md declares env: [CELLCOG_API_KEY], creating an inconsistency that should be explained by the publisher.
Instruction Scope
Instructions explicitly show including absolute local file paths inside <SHOW_FILE> tags and state that generated files will be 'auto-downloaded' and responses delivered to the session. This encourages reading and sending arbitrary local files to an external service (cellcog.ai) which is a potential data-exfiltration risk if not intended by the user. The SKILL.md also instructs installing and using the cellcog Python SDK and using notify_session_key values (session delivery), which are coherent for the described purpose but broaden the data surface.
Install Mechanism
No install spec was present in the registry entry, but SKILL.md includes 'install: pip: cellcog' (PyPI install). pip installs are common and expected for an SDK, but they still pull third-party code—users should confirm the 'cellcog' package on PyPI matches the official project and review its source before installation.
Credentials
The SDK reasonably requires a single API key (CELLCOG_API_KEY). That is proportionate to a cloud AI service. However the registry metadata claimed no required env vars while the SKILL.md requires CELLCOG_API_KEY — the mismatch is unexplained and lowers trust. No other credentials are requested.
Persistence & Privilege
The skill is user-invocable, not always-on, and allows autonomous model invocation (the platform default). It does not request elevated or persistent platform-wide privileges in its metadata.
What to consider before installing
This skill appears to be an instruction wrapper for the CellCog cloud SDK and asks for a CELLCOG_API_KEY and a pip install. Before installing or using it: 1) Verify the publisher and official homepage (cellcog.ai) and confirm the 'cellcog' PyPI package is legitimate and matches the official project. 2) Don't put sensitive or system files in the <SHOW_FILE> tags unless you understand and approve sending them to the remote service—the SKILL.md shows absolute paths and implies the agent will upload those files. 3) Prefer creating a scoped API key with minimal permissions and limited billing/quota, and test the package in an isolated environment. 4) Ask the publisher to explain the metadata mismatch (registry shows no required env, SKILL.md requires CELLCOG_API_KEY) and to provide a homepage/source link and reproducible owner/publisher IDs. If you can't verify the package and publisher, treat this skill as potentially risky and avoid uploading confidential files.Like a lobster shell, security has layers — review code before you run it.
latestvk97aftt3z40dwxxat31799amph83sx5q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis