cogdx-health Security Report — Suspicious | ClawSafe

45 /100

cogdx-health

Free cognitive health check for AI agents via Cerebratech CogDx

Documentation-only skill that sends agent conversation history to an external third-party API without clear data handling policies or declared allowed-tools.

Skill Namecogdx-health

Duration29.7s

Enginepi

⚠

Use with caution

Add explicit allowed-tools declaration (network:READ), clarify data retention policies, and ensure users consent to sharing conversation outputs with the external Cerebratech service.

Findings 3 items

Severity	Finding	Location
Medium	Missing allowed-tools declaration Doc Mismatch SKILL.md lacks allowed-tools metadata declaration. Despite this, the skill performs network requests to api.cerebratech.ai. The skill metadata should explicitly declare network:READ permission. `No allowed-tools field in YAML frontmatter` → Add 'allowed-tools: Bash' or appropriate tool declaration if this skill will be implemented with code.	`SKILL.md:1`
Medium	Conversation data sent to external third-party API Data Exfil The skill sends 10-20 recent agent outputs (including user prompts and agent responses) to api.cerebratech.ai. This effectively exfiltrates conversation context to an external party without clear data retention, privacy, or consent policies documented. `POST https://api.cerebratech.ai/cogdx-health with outputs array containing prompts and responses` → Document data handling practices, add privacy policy reference, and warn users that their prompts/responses will be sent to an external service.	`SKILL.md:32`
Low	External service dependency on Cerebratech Supply Chain The skill depends entirely on an external API (api.cerebratech.ai). If this service goes down, is compromised, or changes terms, the skill becomes non-functional. No fallback or local alternative exists. `POST https://api.cerebratech.ai/cogdx-health` → Consider documenting reliability expectations or offering a local analysis mode.	`SKILL.md:32`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`READ`	✓ Aligned	SKILL.md:32 POST https://api.cerebratech.ai/cogdx-health
Filesystem	`NONE`	`NONE`	—	N/A - no file operations
Shell	`NONE`	`NONE`	—	N/A - no shell execution
Environment	`NONE`	`NONE`	—	N/A - no env access
Skill Invoke	`NONE`	`NONE`	—	N/A - no skill chaining
Clipboard	`NONE`	`NONE`	—	N/A - no clipboard access
Browser	`NONE`	`NONE`	—	N/A - no browser usage
Database	`NONE`	`NONE`	—	N/A - no DB access

1 findings

🔗

Medium External URL 外部 URL

https://api.cerebratech.ai/cogdx-health

SKILL.md:25

File Tree

2 files · 5.5 KB · 155 lines

Markdown 2f · 155L

├─ ▾ 📁 references

│ └─ 📝 api.md Markdown 71L · 2.3 KB

└─ 📝 SKILL.md Markdown 84L · 3.2 KB

Security Positives

✓ No executable code present - skill is documentation only

✓ API endpoint and data format are fully documented

✓ No obfuscated code, base64 payloads, or suspicious patterns detected

✓ No credential harvesting, SSH key access, or sensitive file operations

✓ No reverse shell, C2, or direct IP-based malicious communication

✓ Skill purpose is transparent (cognitive health assessment)

✓ MIT license declared with author attribution

Scan Report

Findings 3 items

File Tree

Security Positives