scheduler
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- Persistence Mechanisms (MEDIUM): The core functionality of the skill is to establish persistence on the host system using native schedulers (
crontab,launchd, and Windows Task Scheduler). Although this is the intended purpose, it allows for long-term, background execution of tasks that persist across reboots and agent sessions. - Dynamic Execution (MEDIUM): The provided setup scripts (
setup-crontab.sh,setup-launchd.sh, andsetup-schtasks.ps1) dynamically assemble shell commands and configuration files at runtime using user-supplied inputs. This pattern allows the agent to generate and register executable logic for future background execution. - Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted command strings for scheduling.
- Ingestion points: Task commands and descriptions processed via the
/scheduler:schedule-addtool. - Boundary markers: Absent; there are no clear delimiters or warnings to the agent to ignore instructions embedded within the scheduled command string.
- Capability inventory: Includes the ability to write to the filesystem, modify user crontabs, load system agents, and create Windows scheduled tasks.
- Sanitization: Minimal; while
setup-launchd.shuses basic XML entity escaping, the Linux and Windows scripts rely on basic string interpolation which could be susceptible to shell breakout depending on how the agent invokes the tools.
Audit Metadata