Is image-cog safe?
https://clawhub.ai/nitishgargiitd/image-cog
image-cog is a documentation-only skill containing no executable code, acting purely as a usage guide for the cellcog SDK. However, its security posture is undermined by two factors: (1) the openclaw runtime reads sensitive credentials (.env, .aws/credentials, auth-profiles.json) during installation, exposing them to the process context, and (2) the hard dependency on the unaudited cellcog skill creates a transitive trust chain where any compromise of cellcog would directly impact all image-cog users. The fire-and-forget callback pattern further widens the attack surface.
Category Scores
Findings (9)
HIGH AWS credentials and .env accessed during install -30 ▶
The filesystem monitoring log shows /home/oc-exec/.aws/credentials and /home/oc-exec/.env were opened and accessed during the skill installation process. While this may be the openclaw runtime loading its own configuration, it means sensitive credentials were in the process memory space during skill installation. If any install-time code from the skill (or its dependency chain) executes, these credentials could be captured.
HIGH Auth profiles read during install -15 ▶
The openclaw agent auth-profiles.json was read during skill installation. This file likely contains authentication tokens or OAuth credentials for the agent's connected services. Exposure to the skill's execution context creates a credential leakage vector.
MEDIUM Transitive dependency on unaudited cellcog skill -15 ▶
image-cog declares a hard dependency on 'cellcog' and instructs the agent to 'Read the cellcog skill first'. This creates a transitive trust chain — any prompt injection, malicious code, or data exfiltration in cellcog is inherited by image-cog. The cellcog skill has not been audited as part of this review, making the true risk profile unknown.
MEDIUM Agent instruction to load external skill content -10 ▶
The skill explicitly instructs the LLM agent to read another skill's content ('Read the cellcog skill first'). This is a form of indirect prompt injection — the image-cog SKILL.md directs the agent to ingest content from cellcog, which could contain adversarial instructions that override user preferences or system constraints.
MEDIUM Sensitive dotfiles accessed during installation -35 ▶
Multiple sensitive dotfiles were read during the install process including .profile, .bashrc (multiple times), and .openclaw/openclaw.json. While likely caused by the openclaw runtime rather than the skill itself, this indicates the installation context has broad filesystem access to user configuration files.
MEDIUM Fire-and-forget pattern with session callbacks -20 ▶
The skill's recommended usage pattern uses notify_session_key='agent:main:main' with fire-and-forget semantics. The agent sends a request and waits for a callback notification. This pattern could be exploited if the cellcog API or daemon is compromised — the callback could deliver malicious instructions or manipulated image URLs that the agent would process without verification.
LOW Supply chain attack vector via dependency chain -25 ▶
image-cog is a documentation-only skill that delegates all execution to cellcog. An attacker could publish image-cog as a benign skill to accumulate installs, then later update cellcog with malicious functionality. Users who installed image-cog would automatically inherit the compromised cellcog behavior.
INFO No executable code in skill package 0 ▶
The skill contains only SKILL.md (documentation), _meta.json, and origin.json. No JavaScript, Python, shell scripts, or other executable files are present. No package.json, no install scripts, no git hooks. All /tmp/jiti files are runtime transpilation artifacts from the openclaw framework.
INFO All honeypot files intact 0 ▶
No canary files (fake .env, SSH keys, AWS credentials) were modified or accessed by the skill itself. The credential access observed was from the openclaw runtime, not targeted honeypot harvesting.