casual-cron
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill directs the agent to interact with the host system via the openclaw CLI. In SKILL.md, the instructions for the /at and /every shortcuts include templates for constructing shell commands that incorporate a user-controlled variable into the --message argument. There are no instructions to sanitize or escape shell metacharacters within this variable, which creates an indirect command injection vulnerability surface.
- Ingestion points: SKILL.md instructions for /at and /every command shortcuts.
- Boundary markers: None provided for the interpolated string.
- Capability inventory: Execution of the openclaw cron add CLI tool via the agent's command execution capabilities.
- Sanitization: Absent for the user-controlled variable in the markdown examples.
- [PROMPT_INJECTION]: The skill's documentation contains a 'Cron Run Guard' section with absolute negative constraints such as 'do NOT troubleshoot' and 'Output ONLY the exact message'. While intended for the context of a background task, these patterns are commonly used in prompt injection attacks to override standard safety protocols or system instructions.
Audit Metadata