Security audit

Session Closeout

Security checks across malware telemetry and agentic risk

Overview

This closeout skill is mostly coherent, but it automatically runs workspace-provided hook code that can do more than the advertised bookkeeping.

Install only if you are comfortable with a closeout command that may execute workspace-local scripts. Before running it in an untrusted repository, inspect scripts/build-master-todo.py and scripts/closeout-hooks.sh, or remove/disable those files. The packaged skill itself does not show exfiltration or destructive behavior, but its hook design deserves review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script unconditionally sources a workspace-local shell file, which executes arbitrary shell code in the current process with the script's privileges. Because the file path is derived from the workspace and there is no validation, allowlist, isolation, or confirmation step, a modified closeout-hooks.sh can perform actions far beyond the stated closeout behavior, including data exfiltration or destructive file/system changes.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The script reports an automation health status field but hard-codes it to not_verified/manual_review_required without actually performing any verification, while the skill description claims automation health checks are part of the workflow. This creates a misleading security signal: downstream users or automation may assume verification occurred and make operational decisions based on false assurance.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill advertises broad natural-language triggers such as "Run closeout" and "Wrap up this session," which can plausibly overlap with normal conversational phrasing. In an agent environment that auto-invokes skills from user text, this increases the chance of unintended execution, causing repository scans, task refresh attempts, and memory-file appends without the user explicitly intending to run the closeout workflow.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The description includes broad activation phrases such as 'end a session', 'run closeout', 'wrap up', and '/closeout', which can cause the skill to trigger on loosely related user requests. In an agent environment, unintended activation can lead to repository scans, file writes to memory logs, and execution of local scripts without the user explicitly requesting those actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script executes optional shell hooks automatically if the file exists, with no user-facing warning, prompt, or dry-run visibility. In a closeout skill, users reasonably expect bookkeeping actions, not hidden execution of arbitrary additional code, so this increases the chance that a malicious or unexpected hook runs unnoticed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal