scheduler
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of shell commands like npm, git, and python via its scheduling engine. This is a core feature and is governed by a confirmation gate for destructive actions as outlined in Step 3 of the skill instructions.
- [PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface (Category 8) by accepting free-form text that is later executed as an agent turn. While it uses job name prefixes and isolated sessions, it lacks strong boundary delimiters to separate user data from instructions. Evidence chain: 1. Ingestion points: User-provided task descriptions in the schedule command; 2. Boundary markers: Prefixes like 'SCHEDULED TASK' are used but lack formal delimiters; 3. Capability inventory: Full agent tool access (Bash, files, network) within isolated sessions; 4. Sanitization: Destructive command filtering for patterns like 'rm' and 'drop' is present.
- [DATA_EXFILTRATION]: The inclusion of curl and API check capabilities allows the skill to perform network requests to arbitrary external domains, which could be leveraged for data transfer.
Audit Metadata