cron-mastery
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill provides templates and instructions for the agent to schedule 'agentTurn' payloads—messages that act as new instructions for the agent at a later time.
- Ingestion points: The 'Morning Briefing' template (references/TEMPLATES.md) explicitly instructs the agent to ingest untrusted data from a 'web search'.
- Boundary markers: None. The templates do not provide delimiters or warnings to prevent the agent from obeying instructions found within the untrusted web search results during the briefing turn.
- Capability inventory: The skill uses
cron:addandcron:listtools, which allow the agent to create persistent, automated tasks and delete existing jobs. - Sanitization: Absent. There is no guidance on validating or sanitizing external content before it is interpolated into a cron message.
- [Command Execution] (MEDIUM): The 'Daily Janitor' pattern (SKILL.md) grants the agent the ability to autonomously list and delete system-level resources (cron jobs). While intended for maintenance, an attacker who successfully injects instructions into the cron list could potentially cause the agent to delete legitimate user tasks or critical maintenance jobs.
Recommendations
- AI detected serious security threats
Audit Metadata