Alex Session Wrap-Up

Security checks across malware telemetry and agentic risk

Overview

The skill broadly matches its stated wrap-up purpose, but it has unsafe defaults that can publish secrets and send memory notes outside the machine without per-run review.

Review carefully before installing. Use it only in repositories where automatic commits and pushes are acceptable, remove *.env from the staged file patterns, avoid sourcing .env as shell, require a diff and explicit confirmation before any push, and review or redact memory entries before sending them to OpenAI/OpenRouter or saving model output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill clearly invokes shell and network-capable actions such as committing local changes and pushing to a remote repository, yet it declares no permissions or approval boundary. That makes the automation harder to reason about, increases the chance of silent high-impact actions, and weakens user/operator ability to constrain exfiltration or repository modification.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose understates important behaviors: it can push to a remote, use third-party AI services, and persist data beyond a local transient wrap-up. When capabilities exceed the stated description, users may authorize the skill without understanding that code, metadata, or conversation-derived content could be transmitted or permanently stored.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script sources a neighboring .env file wholesale with `set -a; source ...`, importing every variable into the environment regardless of whether it is needed. This expands the blast radius of any secret present there and increases the chance unrelated credentials are exposed to subprocesses, logs, later git operations, or external API calls.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The automatic trigger of 'end of significant work session (optional)' is vague and can cause the skill to run when the user did not intend it. Because the skill performs commits, pushes, and persistence, ambiguous invocation can turn ordinary workflow transitions into unintended state-changing operations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill advertises commit, push, and file-update actions but does not include an explicit warning or consent checkpoint before performing them. These are irreversible or externally visible operations that can publish sensitive code, alter repository history, or overwrite trusted project guidance files without informed approval.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script sends session memory entries to third-party AI providers for analysis without an explicit consent gate, redaction step, or warning at the point of transmission. If memory entries contain sensitive notes, credentials, customer data, or internal context, that data is exfiltrated outside the local environment.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to mine the session conversation and persist learnings into memory files and shared docs such as AGENTS.md or MEMORY.md. This can capture secrets, personal data, internal decisions, or sensitive prompts and then store or propagate them into durable project artifacts, increasing both retention and exposure risk.

External Transmission

Medium

Category: Data Exfiltration
Content: PATTERN_RESULT="" if [[ -n "$LEARNINGS" && -n "${OPENAI_API_KEY:-}" ]]; then PATTERN_RESULT=$(curl -sS --max-time 30 "https://api.openai.com/v1/chat/completions" \ -H "Authorization: Bearer $OPENAI_API_KEY" \ -H "Content-Type: application/json" \ -d "{\"model\": \"$MODEL\", \"messages\": [{\"role\": \"user\", \"content\": \"$PROMPT\"}], \"max_tokens\": 300}" \
Confidence: 84% confidence
Finding: curl -sS --max-time 30 "https://api.openai.com/v1/chat/completions" \ -H "Authorization: Bearer $OPENAI_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: 2>/dev/null | python3 -c 'import sys,json; d=json.load(sys.stdin); print(d.get("choices",[{}])[0].get("message",{}).get("content","Error"))') \ || PATTERN_RESULT="API error" elif [[ -n "$LEARNINGS" && -n "${OPENROUTER_API_KEY:-}" ]]; then PATTERN_RESULT=$(curl -sS --max-time 30 "https://openrouter.ai/api/chat/v1/chat/completions" \ -H "Authorization: Bearer $OPENROUTER_API_KEY" \ -H "Content-Type: application/json" \ -d "{\"model\": \"openai/gpt-4o-mini\", \"messages\": [{\"role\": \"user\", \"content\": \"$PROMPT\"}], \"max_tokens\": 300}" \
Confidence: 92% confidence
Finding: curl -sS --max-time 30 "https://openrouter.ai/api/chat/v1/chat/completions" \ -H "Authorization: Bearer $OPENROUTER_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: PATTERN_RESULT="" if [[ -n "$LEARNINGS" && -n "${OPENAI_API_KEY:-}" ]]; then PATTERN_RESULT=$(curl -sS --max-time 30 "https://api.openai.com/v1/chat/completions" \ -H "Authorization: Bearer $OPENAI_API_KEY" \ -H "Content-Type: application/json" \ -d "{\"model\": \"$MODEL\", \"messages\": [{\"role\": \"user\", \"content\": \"$PROMPT\"}], \"max_tokens\": 300}" \
Confidence: 84% confidence
Finding: https://api.openai.com/

Credential Access

High

Category: Privilege Escalation
Content: MODEL="gpt-4o-mini" # Load env if [[ -f "$WORKSPACE/../.env" ]]; then set -a source "$WORKSPACE/../.env" set +a
Confidence: 97% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: # Load env if [[ -f "$WORKSPACE/../.env" ]]; then set -a source "$WORKSPACE/../.env" set +a fi
Confidence: 97% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: # Only commit text/config files, skip binaries and media if git rev-parse --git-dir >/dev/null 2>&1; then # Add only text/config files git add *.md *.txt *.json *.sh *.yaml *.yml *.env 2>/dev/null || true git add docs/* scripts/* skills/* memory/* 2>/dev/null || true git add AGENTS.md USER.md SOUL.md MEMORY.md TOOLS.md 2>/dev/null || true git add projects/*/README.md projects/*/notes/* 2>/dev/null || true
Confidence: 99% confidence
Finding: .env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal