schedule
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill establishes persistence by modifying the user's system crontab entries.
- Evidence: The script
scripts/schedule.shusescrontab -lto read andcrontab "$tmpfile"to write updated cron schedules to the system. - [COMMAND_EXECUTION]: The skill generates and executes dynamic shell scripts at runtime.
- Evidence: In
scripts/schedule.sh, thebuild_cron_commandfunction writes a new bash script to the$TINYCLAW_HOME/schedule-jobs/directory and applieschmod +xto make it executable. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection through the interpolation of untrusted task messages into system commands.
- Ingestion points: The
--messageflag inscripts/schedule.shaccepts arbitrary text strings from the user or agent. - Boundary markers: No explicit delimiters or boundary markers are used to separate user input from the command structure.
- Capability inventory: The skill can modify the system crontab, write executable files to the filesystem, and perform network requests to the local API via
curl. - Sanitization: The script performs basic escaping of double quotes and backslashes in the
build_cron_commandfunction, which provides limited protection against shell or JSON injection.
Audit Metadata