cron-manager
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by allowing the persistence of natural language instructions in scheduled tasks.\n
- Ingestion points: The
--messageargument in thecreateandupdatecommands, and themessagefields within JSON files processed bybatch-createinscripts/cron_manager.py.\n - Boundary markers: Absent. Stored messages are later fed to the agent as instructions without delimiters or protective framing to distinguish them from system instructions.\n
- Capability inventory: The skill enables the creation and modification of persistent scheduled tasks that dictate future agent behavior.\n
- Sanitization: No sanitization or validation is applied to the content of the messages.\n- [COMMAND_EXECUTION]: The skill uses a Python script to perform its operations, which is executed via the system shell.\n
- Evidence: Implementation in
scripts/cron_manager.pyis invoked usingpython3as defined inSKILL.md.\n- [DATA_EXFILTRATION]: The batch creation feature allows reading arbitrary local files, creating a risk of data exposure.\n - Evidence: The
cmd_batch_createfunction inscripts/cron_manager.pyopens a user-provided file path. If an attacker directs this to a sensitive file, the resulting JSON parsing error could leak parts of the file's content to the agent's output.
Audit Metadata