scheduler

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill embeds the user's exact task instruction into the scheduled payload (payload.message) and outputs JSON for cron.add, so any secrets included by the user in commands (e.g., API keys, Bearer tokens, curl headers) would be copied verbatim into the agent output and stored/sent — enabling secret exfiltration even though the skill doesn't explicitly request keys.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly accepts and schedules checks of arbitrary URLs (see "API/health check" in the Agent Instructions and the "Check https://api.example.com/health" examples in SKILL.md and references/TEMPLATES.md), meaning the agent will fetch and interpret untrusted public web content as part of task execution, which can influence decisions/alerts and subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill allows scheduling and executing arbitrary shell commands and file operations (with Bash and file-tool access) which can modify system files, create users, or invoke sudo-level operations and only offers limited pattern-based checks rather than prohibiting or safely sandboxing these privileged actions.