cron-helper
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill interacts with the
openclawCLI to manage cron jobs. This is the core functionality and is used as intended for scheduling and task management. - [PROMPT_INJECTION] (LOW): The skill exhibits a surface for indirect prompt injection (Category 8) because it accepts arbitrary instructions from the user to be executed by the agent at a later time.
- Ingestion points: Untrusted user input is ingested via the
--messageand--system-eventflags withinSKILL.mdto define task behavior. - Boundary markers: Absent. The instructions are interpolated directly into shell commands without delimiters or warnings to ignore embedded instructions.
- Capability inventory: When used with
--session isolated, the agent can execute a full suite of tools (exec, read, message, etc.) in a background context. - Sanitization: Absent. There is no mention of escaping, validating, or filtering the contents of the user-provided messages before scheduling them.
- [Persistence Mechanisms] (LOW): While the skill facilitates persistence via cron jobs (Category 6), this is the primary and stated purpose of the tool. The risk is minimized by the use of a specialized CLI (
openclaw) rather than direct manipulation of system-level crontabs.
Audit Metadata