Security Audit

cellcog

github.com/CellCog/cellcog_python

AI SkillCommit 89ffa28e56d9

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

cellcog received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Data Exfiltration via Arbitrary File Access, Unpinned Dependency in Installation Instructions.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 20, 2026 (commit 89ffa28e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

78%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

2 findings

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Potential Data Exfiltration via Arbitrary File Access The skill documentation describes a `<SHOW_FILE>` mechanism that allows users to specify absolute file paths (e.g., `<SHOW_FILE>/data/q4_earnings.pdf</SHOW_FILE>`). This implies that the underlying CellCog SDK or service will attempt to read and transmit the content of these specified files. If a malicious prompt instructs the agent to use this mechanism with sensitive file paths (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, environment variables files), it could lead to unauthorized data exfiltration from the agent's execution environment to the CellCog service. The skill itself documents this capability, making it a potential vector for a compromised agent to leak data. Implement strict access controls and validation within the CellCog SDK/service to restrict file access to only explicitly allowed directories or file types. Agents should be configured with minimal filesystem permissions. Consider sandboxing the execution environment where file access is performed. If possible, avoid allowing absolute paths or provide a mechanism for the agent to confirm file access before transmission.	Static	SKILL.md:31
MEDIUM	Unpinned Dependency in Installation Instructions The `install` instruction in the manifest and the `pip install cellcog` command in the `SKILL.md` do not specify a version for the `cellcog` package. This means that `pip` will always install the latest available version. If a malicious update to the `cellcog` package is published (e.g., via typosquatting or compromise of the legitimate package maintainer's account), the agent could unknowingly install and execute compromised code. This introduces a supply chain risk. Pin the dependency to a specific version or a version range in the `install` section of the manifest (e.g., `"pip": "cellcog==1.2.3"` or `"pip": "cellcog~=1.2"`). Update the `SKILL.md` to reflect the pinned version in the `pip install` command. Regularly review and update pinned versions to incorporate security fixes and new features.	Static	Manifest:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/55a4f6c470b335b4.svg)](https://skillshield.io/report/55a4f6c470b335b4)