cron-runner
Warn
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill employs shell-like operations such as renaming (
mv) and deleting files within the local runtime directory to manage its processing queue. - [REMOTE_CODE_EXECUTION]: The orchestrator extracts and dispatches commands directly from the
cron-actions-queue.jsonlfile to the agent'srouter()system. This enables the execution of arbitrary agent tasks based on unvalidated data from an external file. - [PROMPT_INJECTION]: The skill provides an indirect prompt injection surface by ingesting and acting upon instructions from a shared queue file without sanitization.
- Ingestion points: Data is read line-by-line from
.claude/context/runtime/cron-actions-queue.jsonl(SKILL.md). - Boundary markers: No delimiters or protective instructions are used to separate task data from the agent's execution context.
- Capability inventory: The skill can dispatch tasks, update system state, and perform file system manipulations (SKILL.md).
- Sanitization: The processing logic only checks for JSON validity and does not inspect the contents of the tasks for safety or authorization.
Audit Metadata