scheduler
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Persistence Mechanisms (MEDIUM): The skill implements system persistence by managing cron jobs via the
alma cronCLI. This allows for automated, periodic execution of AI tasks. The severity is reduced to MEDIUM as this is the core intended purpose of the skill. - Indirect Prompt Injection (LOW): The Heartbeat feature reads and follows instructions from
HEARTBEAT.mdwithout validation or boundary markers. This creates a vulnerability where external modifications to the file could control agent behavior. Evidence Chain: (1) Ingestion point: HEARTBEAT.md; (2) Boundary markers: Absent; (3) Capability inventory: Bash, Read, and Write; (4) Sanitization: Absent. - Command Execution (MEDIUM): The skill utilizes the Bash tool to execute system-level commands through the
almaCLI for task management and configuration. - Data Exposure & Exfiltration (LOW): The skill transmits task outputs to Telegram via the
--deliver-toflag. This involves network activity to a non-whitelisted external domain, which is a potential path for data exfiltration if the agent is compromised.
Audit Metadata