scheduler
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The
SOP.mdfile directs the AI agent to read sensitive authentication data, specificallypairCodeandrouteToken, from the.claude/skills/mycc/current.jsonfile and display them. This pattern exposes credentials that could be exfiltrated if the agent is manipulated. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it executes instructions sourced from an external, user-editable file.
- Ingestion points: The
daemon.shscript monitors and reads task definitions from.claude/skills/scheduler/tasks.md. - Boundary markers: The system lacks delimiters or instructions to prevent the agent from obeying malicious commands embedded within the
tasks.mdtable entries. - Capability inventory: The scheduler has the capability to trigger any skill or task description via the
cc-webuiAPI, which executes commands through Claude Code with potential filesystem access. - Sanitization: There is no evidence of validation or sanitization of the 'Task' or 'Skill' fields retrieved from the markdown table.
- [COMMAND_EXECUTION]: The skill uses a background daemon to parse and execute commands stored in
tasks.md. This architecture allows for the persistent execution of arbitrary instructions in the background without direct user oversight for each execution.
Audit Metadata