Full run checklist.md tasks in Claude Code skill

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it deserves Review because it installs project-local auto-start behavior and lets checklist text drive automated Claude Code work with weak completion safeguards.

Install only in trusted projects after reviewing checklist.md and the shell scripts. Expect it to edit .claude/settings.local.json, add a SessionStart hook, grant permission for its project-local scripts, start a local monitor, write local status/log files, and mark checklist items complete automatically. Avoid using it where checklist.md may be edited by untrusted parties, and remove the hook or uninstall if you do not want future Claude Code sessions to start monitoring automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill clearly describes shell-script execution, installation, and configuration changes, yet no explicit permissions are declared. This creates a transparency and consent problem: users and enforcement layers may underestimate the skill's ability to run commands and modify project state, increasing the chance of unintended code execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The stated purpose focuses on executing checklist tasks, but the skill also installs scripts, edits .claude/settings.local.json, grants permission rules, and registers a SessionStart hook for future sessions. That hidden persistence/configuration behavior materially changes the trust model and can enable ongoing automated execution beyond what a user would reasonably infer from the description.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The installer silently adds a SessionStart hook that automatically executes a project-local script whenever a session begins. This changes the trust boundary from manual invocation to implicit execution, which is risky because any later modification of the copied script or project state can trigger code execution without an explicit user action.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Using 'or similar commands' makes the trigger ambiguous and easier to activate unintentionally from loosely related user language. Because this skill can launch automated task execution and monitoring, an overly broad trigger increases the risk of accidental invocation of shell-backed behavior.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script modifies checklist.md by marking tasks done automatically, but it provides no explicit interactive warning or confirmation before altering user project state. Because it marks completion immediately after printing a task, this can silently corrupt workflow state, hide unfinished work, and mislead downstream automation or users into trusting inaccurate progress.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The installer modifies project settings to grant script execution permissions and registers an auto-executing SessionStart hook without explicit user consent at install time. In the context of an agent skill, this is more dangerous because it establishes persistence-like behavior and broadens execution authority inside the project, increasing the chance of unintended or surprise code execution.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: # Fullrun - Task Executor A script system that automatically executes task checklists with state management and scheduled checking. ## Requirements
Confidence: 74% confidence
Finding: automatically execute

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: --- name: fullrun description: Automatically execute tasks from checklist.md with state management and scheduled checking trigger: When user says "start execution", "run tasks", "execute checklist" or similar commands ---
Confidence: 90% confidence
Finding: Automatically execute

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal