scheduled-task
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses local shell scripts (
create-task.sh,update-task.sh,list-tasks.sh,delete-task.sh,toggle-task.sh) to interact with an internal management API viaLOBSTERAI_API_BASE_URL. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface by design. It accepts arbitrary natural language instructions to be stored in a
promptfield and executed at a later time. - Ingestion points: The
promptfield in the task configuration is populated based on user requests (e.g., "每天早上9点帮我查一下AI新闻"). - Boundary markers: The skill does not implement delimiters or safety instructions to prevent the agent from obeying malicious commands embedded within these stored prompts.
- Capability inventory: Scheduled tasks are executed in a "Cowork session" where tool calls are "auto-approved" (as stated in
SKILL.md), allowing the stored instructions to perform actions without human oversight. - Sanitization: No sanitization or validation logic is present to filter executable or harmful content within the stored prompt fields.
Audit Metadata