Session Tracker
Security checks across malware telemetry and agentic risk
Overview
This is a session logging skill, but it aggressively tries to make itself mandatory for broad tasks and references an unreviewed CLI/background monitor that is not included in the package.
Review carefully before installing. The session-tracking idea is coherent, but this package does not include the CLI it tells agents to run, and it tries to make tracking mandatory for many tasks. Only use it if you understand what `session-tracker` executable will run in your environment and how to stop or clean up the persisted session files.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may start logging and tracking routine multi-step work by default, even if the user did not ask for a persistent session tracker.
The skill attempts to make itself mandatory across broad classes of tasks, which can override normal user-directed tool choice and cause session tracking to run even when not explicitly wanted.
ALWAYS use this skill for ANY multi-step task... Do NOT attempt multi-step work without initializing a session first.
Change the invocation guidance to user-directed or narrowly scoped use, and make clear that user instructions can opt out.
A user cannot verify from these artifacts what code would actually run if the agent executes the documented `session-tracker` command.
The reviewed package contains no executable or install instructions, but the skill tells the agent to use a `session-tracker` command and describes background monitor behavior. If followed, the agent would rely on an external or preexisting executable whose source is not reviewed here.
No install spec — this is an instruction-only skill... No code files present... session-tracker ping --detail "Running docx skill, generating document..."
Include the implementation, pin its provenance, declare the required binary/install step, or remove CLI execution instructions from this instruction-only skill.
Session notes, todos, and file metadata may remain on disk and influence later work after an interruption.
The skill stores persistent task state and file inventory for future recovery, which is central to its purpose but creates reusable context that future agents may trust.
`state.json` | Session metadata + file inventory ... `todo.json` | Persistent TODO list ... `worklog.jsonl` | Structured log
Avoid recording secrets in session logs, review persisted `.session` data before resuming, and provide clear cleanup/retention controls.
A monitor may continue tracking project file activity until the session is completed or cleaned up.
The skill documents a background monitor and crash-surviving active-session sentinel. This is disclosed and related to crash recovery, but it is persistent behavior users should notice.
`monitor.pid` | PID of the background monitor process ... `SESSION_ACTIVE` | Sentinel file — exists = session active, removed on completion.
Make start/stop behavior explicit, require user approval before launching long-running monitors, and document how to terminate and clean up sessions.