ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Cog

v1.0.11

AI crypto research and analysis powered by CellCog. Token deep-dives, on-chain metrics, DeFi protocol breakdowns, wallet portfolio reviews, market sentiment,...

7· 2.2k·6 current·6 all-time
byCellCog@nitishgargiitd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (crypto research, token/DeFi analysis, on‑chain metrics) align with the SKILL.md content. The skill lists a dependency on 'cellcog', which is consistent with using a remote CellCog service/SDK. Source is 'unknown' and homepage points to cellcog.ai; that is plausible but unverifiable from the package alone.
Instruction Scope
SKILL.md instructs the agent to call the CellCog SDK to create chats/tasks and produce reports (HTML, PDF, XLSX). The instructions do not tell the agent to read system files or unrelated environment variables. However, the doc expects users/agents to send potentially sensitive data (wallet addresses, portfolio contents) to an external service; it does not explicitly warn against sending private keys or other secrets.
Install Mechanism
This is instruction‑only (no install spec, no code files), which is low install risk. But it declares a dependency ('cellcog') without an install mechanism or version: the runtime will implicitly rely on the environment to have that SDK installed, which is a mismatch that should be clarified.
!
Credentials
The skill declares no required env vars or primary credential, yet it expects to call an external CellCog service (via the CellCogClient). That strongly suggests an API key or token is required at runtime but not declared. This undocumented credential requirement is a meaningful gap. Also, the skill's use cases (portfolio review, wallet analysis) could lead users to paste highly sensitive data (private keys, seed phrases) into prompts unless the skill explicitly warns against it.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system configs. It's instruction-only and does not request elevated or persistent platform privileges.
What to consider before installing
This skill appears to do what it claims (crypto research) but has important gaps you should address before using it: (1) Ask the publisher how the CellCog SDK authenticates—what env var or API key will it need, and where is that documented? (2) Confirm where data is sent and stored (does analysis leave your environment to cellcog.ai?), and review their privacy/security policy. (3) Never paste private keys, seed phrases, or other secret credentials into prompts; use only public wallet addresses or read‑only data. (4) Verify the origin and install method for the 'cellcog' package (PyPI/GitHub release?) before installing it into a production environment—prefer testing in an isolated environment first. (5) If you need higher assurance, ask the publisher for an install manifest and explicit env var names and for a minimal reproducible example that shows authentication and data flow.

Like a lobster shell, security has layers — review code before you run it.

latestvk970dpse2ah0ep79qf43w8nqch84v3me

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🪙 Clawdis
OSmacOS · Linux · Windows

Comments