scheduler
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a custom CLI tool (
alma cron,alma heartbeat) with Bash permissions to create, manage, and execute scheduled tasks. This functionality allows instructions and shell commands to persist across sessions and trigger automatically based on time intervals or cron expressions. - [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection via delayed execution.
- Ingestion points: Persistent instructions are stored in the
HEARTBEAT.mdfile and within the--promptargument of scheduled cron jobs inSKILL.md. - Boundary markers: The skill does not define delimiters or specific 'ignore instructions' warnings when reading from the heartbeat file or executing scheduled prompts.
- Capability inventory: The agent possesses high-privilege capabilities including
Bash,Read, andWritetools which can be accessed by the scheduled tasks. - Sanitization: The skill does not implement validation or sanitization for the prompts being scheduled or the content of the heartbeat configuration file.
Audit Metadata