ez-cronjob
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Prompt Injection (HIGH): The skill contains explicit behavioral overrides in
SKILL.mdthat instruct the agent to disregard its intendedcrontool and instead use the genericexecorbashtools. This steers the agent away from constrained environments toward high-privilege shell access. - Command Execution (HIGH): By mandating the use of the
exectool to manage cron jobs (e.g.,exec: clawdbot cron add ...), the skill creates a significant command injection surface. If an attacker can influence the contents of the cron name or message, they may be able to execute arbitrary shell commands on the host system. - Indirect Prompt Injection (MEDIUM): The skill teaches the agent to use a "robust message template" that embeds natural language instructions (
[INSTRUCTION: DO NOT USE ANY TOOLS]) within data fields. This pattern acknowledges a lack of boundary enforcement and demonstrates how untrusted data can be used to steer agent behavior at runtime. - External Downloads (LOW): The
README.mdsuggests installation viaclawdhub, an unverified third-party repository that is not part of the trusted source list.
Recommendations
- AI detected serious security threats
Audit Metadata