cron-job-scheduler
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection.
- Ingestion points: The skill auto-activates when "cron job scheduler" is mentioned, which can be triggered by content within files read by the agent (e.g., via
ReadorGreptools). - Boundary markers: There are no boundary markers or explicit instructions to ignore embedded commands within the processed data.
- Capability inventory: The skill has access to
Bash,Write, andEdit, allowing it to modify system files and execute arbitrary code. - Sanitization: There is no mention of sanitizing or validating inputs before passing them to the execution tools.
- [Command Execution] (HIGH): The skill explicitly allows the
Bashtool. In the context of "cron job scheduler" tasks, this provides a direct path for the agent to install persistent malicious tasks (e.g., reverse shells) on the host system if the agent is misled by malicious instructions embedded in a project's documentation or codebase.
Recommendations
- AI detected serious security threats
Audit Metadata