ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Data Cog

v1.0.10

AI data analysis and visualization powered by CellCog. Data cleaning, exploratory analysis, hypothesis testing, statistical reports, ML model evaluation, dat...

4· 2k·8 current·8 all-time
byCellCog@nitishgargiitd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and SKILL.md consistently describe a CellCog-powered data analysis service that runs Python to produce charts and reports. However, the metadata lists a dependency on 'cellcog' but declares no installation steps and no authentication/credentials; for a cloud SDK this is unexpected and deserves clarification.
Instruction Scope
SKILL.md confines actions to uploaded files (uses <SHOW_FILE> tags) and running analysis via the CellCog client. It does not instruct the agent to read unrelated system files or arbitrary environment variables. It does grant 'full Python access' to run code on uploaded data, which is functionally necessary but increases the sensitivity of what will be processed.
Install Mechanism
This is an instruction-only skill with no install spec or files to write to disk, which minimizes install-time risk. The declared dependency in the header ('dependencies: [cellcog]') is informational but there is no automated installer referenced.
!
Credentials
The skill requests no environment variables or credentials in its registry metadata, yet the SKILL.md references a client SDK (CellCogClient) that in typical deployments would require authentication/endpoint configuration. The absence of any declared primary credential or guidance on where credentials come from is a mismatch and could hide an unlisted requirement for API keys or account tokens.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide configuration or elevated privileges. Autonomous invocation is allowed (platform default) but not by itself a red flag here.
What to consider before installing
This skill appears to be a wrapper for the CellCog data-analysis SDK and will run Python on files you upload. Before installing: (1) confirm how and where the CellCog client authenticates — the skill metadata doesn't declare any API key or credentials but the SDK likely needs one; (2) ask whether code runs locally or on CellCog servers and read the provider's privacy/data-retention policy; (3) avoid uploading sensitive PII or secrets until you know data handling guarantees; (4) look for the separate 'cellcog' skill or docs the SKILL.md references to learn exact installation/auth steps. If you cannot verify authentication and data residency, treat this as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d5zdv9aexmbf7bj93z722hs84tzcf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔢 Clawdis
OSmacOS · Linux · Windows

Comments