ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Insta Cog

v1.0.12

AI social media video and content creation powered by CellCog. Instagram Reels, TikTok videos, Stories, carousels, social posts. Full video production from a...

20· 3.3k·15 current·15 all-time
byCellCog@nitishgargiitd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: this is an instruction-only wrapper that calls CellCog for video/content production. However the SKILL.md lists a dependency on 'cellcog' but does not declare any required credentials or explain how the CellCog service is authenticated — an expected API key or token is missing from the declared requirements.
Instruction Scope
The runtime instructions stay on-topic (how to call the CellCog SDK, chat modes, content formats). They do reference reading the separate 'cellcog' skill for SDK details, file handling, and timeouts — this delegates credential/config handling elsewhere but that external dependency is not included in this package, creating a blind spot.
Install Mechanism
No install spec and no code files — the skill is instruction-only. This is lower risk because it does not write code or download archives. It does, however, instruct use of an external SDK/service (CellCog).
!
Credentials
The skill declares no required environment variables or primary credential but clearly needs access to the CellCog service (network calls and likely an API key). The absence of declared credentials is disproportionate: either authentication is expected to come from a separate skill/agent config (not documented here) or the skill is incomplete. Also, using the service implies uploading content (scripts, media) to an external endpoint — a privacy/credential consideration not described.
Persistence & Privilege
The skill uses defaults (not always: true, agent invocation allowed). It does not request system-wide config changes or permanent presence. No persistence or elevated privileges are requested within the SKILL.md.
What to consider before installing
This skill appears to be an instruction-only wrapper that tells the agent to call CellCog for full video production. Before installing: (1) confirm how you will authenticate to CellCog — the SKILL.md declares a dependency on a 'cellcog' SDK but does not list any API key or token requirements; ask the publisher where credentials should be provided or whether another skill supplies them; (2) verify the CellCog service URL and privacy policy (the skill will likely upload prompts and media to an external API); (3) if you plan to allow autonomous agent runs, restrict what media or sensitive data the agent can send to the service; and (4) prefer installing only if you trust the CellCog publisher and you understand where the SDK/credentials come from. If you need higher assurance, request a version that documents credential names, scopes, and exact endpoints used.

Like a lobster shell, security has layers — review code before you run it.

latestvk97djxjjys2zr474vggt6ffj8d84trvj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📸 Clawdis
OSmacOS · Linux · Windows

Comments