scheduler
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill is designed to execute arbitrary shell scripts, binaries, and PowerShell commands.
- Evidence: Step 1 specifically identifies 'Command / operation to run' as a task intent. Step 2 mentions 'Running a script or command' and 'Triggering a workflow'.
- Risk: Without strict validation or a predefined whitelist of commands, an attacker could use prompt injection to schedule destructive commands (e.g.,
rm -rf /or data exfiltration scripts). - [PERSISTENCE] (MEDIUM): The skill's primary function is to establish persistence on the host operating system using native tools.
- Evidence: It utilizes
launchd(macOS),cron/systemd(Linux), and Windows Task Scheduler. - Risk: These are standard techniques used by malware to maintain access. While legitimate here, they provide a ready-made API for an attacker to ensure malicious code runs across reboots.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill lacks explicit sanitization logic for the commands it schedules.
- Ingestion points: User instructions via Step 1 ('Parse the request').
- Boundary markers: Absent; the skill does not define delimiters to separate user data from the generated command string.
- Capability inventory: High; can write helper scripts, modify
cron, and executeosascriptorPowerShell. - Sanitization: Absent; the skill relies on the agent to 'interpret' the intent without technical filtering of dangerous characters or command sequences.
Audit Metadata