scheduled-tasks
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to perform system maintenance. Specific commands includepnpm code:index:reindexfor search indexing,pnpm validate:fullfor framework validation, andnode .claude/lib/memory/memory-rotator.cjsfor memory management. While these are typical for environment maintenance, they represent a powerful capability that is triggered automatically by the scheduler. - [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection. Its primary purpose is to automate the reading and processing of external data on a recurring basis.
- Ingestion points: Files such as
issues.md,CHANGELOG.md, and external data sources like Telegram messages are read into the agent's context during scheduled loops. - Boundary markers: The provided task prompts (e.g.,
"Read issues.md and CHANGELOG.md and give morning briefing") do not include explicit delimiters or instructions to ignore embedded commands within the ingested data. - Capability inventory: The skill has access to
Bash,CronCreate,Read, andTaskUpdate, which could be abused if the agent follows malicious instructions found within the processed files. - Sanitization: There is no evidence of sanitization or validation of the content read from these external files before it is processed by the model.
- [DATA_EXFILTRATION]: While the skill contains examples of interacting with external services (e.g., "Check for new Telegram messages"), these are presented as user-controlled examples. However, the automated nature of these tasks could be leveraged for data exfiltration if the agent's instructions are compromised via the indirect injection surface described above.
Audit Metadata