Session Wrap-Up Premium

Security checks across malware telemetry and agentic risk

Overview

This wrap-up skill has a coherent purpose, but it can automatically stage and push repository changes and contains a command-injection bug in its commit flow.

Review carefully before installing. Do not use this on repositories containing secrets or unrelated work unless git operations are changed to stage only explicit wrap-up files, avoid shell=True, and require confirmation before any push.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: OPEN_LOOPS = NOTES_DIR / "open-loops.md" def run(cmd): res = subprocess.run(cmd, shell=True, capture_output=True, text=True) return res.returncode, res.stdout, res.stderr def ensure_dirs():
Confidence: 98% confidence
Finding: res = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill's documented wrap-up purpose is broader than a normal note-taking task and includes `git add -A` followed by `git push`, which can transmit all modified repository contents, not just wrap-up artifacts. In a session-persistence skill, that context makes the mismatch more dangerous because users may expect local logging but inadvertently publish unrelated or sensitive changes to a remote.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The manifest and tool descriptions do not fully disclose that the skill may log into other skills' files or archive WAL data, which hides the true scope of file access and persistence side effects. Hidden cross-skill writes are risky in a memory-management context because they can alter or retain sensitive agent state outside the files a user expects to be touched.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The wrap_up action accepts arbitrary JSON input for commit_message and interpolates it into a shell command: git commit -m "{message}". Because execution ultimately occurs through shell=True, a crafted message containing quotes or shell operators can break out of the quoted string and run arbitrary commands, followed by a git push that may exfiltrate modified content to a remote.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that `git push` is automatic and requires no confirmation, yet it provides no caution about remote transmission, branch targeting, or the possibility of pushing unrelated repository changes. In the context of a persistence/wrap-up skill that may collect session summaries and memory data, automatic network publication materially increases the risk of accidental data exfiltration.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill stages all changes, commits, and pushes to the configured remote without any confirmation or warning. In the context of a session wrap-up skill that operates on a user's workspace and memory files, this increases the chance of unintended publication of sensitive notes, secrets, or attacker-modified files, especially when combined with the command-injection issue.

Session Persistence

Medium

Category: Rogue Agent
Content: enum: ["append", "replace"] default: "append" required: ["section", "content"] permission: workspace_write --- # Session Wrap-Up Premium
Confidence: 85% confidence
Finding: write --- # Session Wrap-Up Premium End sessions with confidence. This skill automates the entire wrap-up process: context preservation, git commit, and PARA second-brain updates. ## Why Wrap Up?

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal