Is cellcog safe?

https://clawhub.ai/nitishgargiitd/cellcog

62
CAUTION

CellCog is a commercial AI-as-a-service skill whose core design pattern involves reading arbitrary local files and transmitting them to external servers (cellcog.ai). While it provides legitimate multi-modal AI capabilities, its mechanism normalizes file exfiltration as standard workflow. The install phase reads sensitive credential files (.env, .aws/credentials, auth-profiles.json), and the SDK runs a persistent background daemon with WebSocket connections to external servers. No canary files were modified and no outbound network was detected during install, but the runtime behavior profile carries significant data exfiltration risk.

Category Scores

Prompt Injection 40/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (9)

CRITICAL Core design enables arbitrary file exfiltration to external API -40

The skill's fundamental operation pattern is: read local files via /absolute/path tags and transmit their contents to cellcog.ai API endpoints. This teaches the agent that sending local file contents to an external service is normal behavior. Any file readable by the agent can be exfiltrated through this pattern.

HIGH Skill instructs agent to install and execute external pip package -25

The skill declares 'install: pip: cellcog' in its frontmatter and additionally instructs the agent to run 'pip install cellcog' if import fails. This installs arbitrary Python code from PyPI that runs a background daemon with persistent WebSocket connections to external servers.

HIGH Skill teaches agent to treat file reading + external transmission as normal -20

The tag pattern normalizes reading arbitrary absolute file paths and including their contents in API calls to an external service. This is a form of prompt injection that redefines the agent's understanding of safe file handling.

HIGH Install phase reads sensitive credential and configuration files -35

During the clone/install phase, the process read .env, .aws/credentials, .openclaw/openclaw.json, auth-profiles.json, .profile, and .bashrc multiple times. While some of these may be expected for environment setup, reading .aws/credentials and .env during a skill install is suspicious.

HIGH Background daemon process with persistent WebSocket connection -30

The installed SDK runs a background daemon that maintains a persistent WebSocket connection to cellcog.ai/api/cellcog/ws/user/stream. This creates an always-on data channel that is difficult to audit and could transmit data without per-request user approval.

MEDIUM Skill can send messages to external communication platforms -15

The notify_session_key parameter supports Telegram DM and Discord group delivery, meaning CellCog results (potentially containing local file data) can be forwarded to communication platforms.

MEDIUM JIT compilation artifacts created during install -20

Multiple compiled JavaScript files were created in /tmp/jiti/ during the install phase, indicating code transpilation and execution of untrusted JavaScript as part of the skill installation process.

LOW Marketing-laden persuasion language to influence agent behavior -10

The skill uses superlative marketing claims ('#1 on DeepResearch Bench', 'the only AI that truly handles any input → any output') to persuade the agent to prefer CellCog for tasks, potentially overriding user preferences for alternative tools.

INFO Canary files intact 0

All honeypot files (fake .env, SSH keys, AWS credentials) were not modified during the audit. However, .aws/credentials and .env were READ during install, which does not trigger canary modification alerts.