scheduling
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill allows users to schedule arbitrary shell commands using the
aiter cron addcommand. This provides a mechanism for persistent, recurring execution of system-level commands. - [COMMAND_EXECUTION]: The 'heartbeat' mechanism automatically executes actions defined in markdown files (e.g.,
.aiter/memory/tasks.md). These actions can include complex shell commands such as deployment scripts (npm run deploy) or repository management via the GitHub CLI. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection vulnerability through its heartbeat automation. The agent is instructed to read and execute commands from local memory files. If an attacker manages to influence the content of these files (e.g., by tricking the agent into saving external data into
tasks.md), the agent could execute malicious commands autonomously during the next scheduled heartbeat. - Ingestion points: The agent reads from
.aiter/memory/tasks.mdand.aiter/memory/orchestration.md. - Boundary markers: No specific delimiters or safety instructions are defined to separate user-provided data from executable commands in the task file.
- Capability inventory: The agent has the ability to execute shell commands, perform Git operations, and manage project files.
- Sanitization: There is no evidence of sanitization or validation performed on the 'action' or 'condition' fields retrieved from the task files before execution.
Audit Metadata