scheduled-task
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The Windows notification logic in
scripts/notify.pyis vulnerable to command injection. It uses Python f-strings to interpolate task names and status messages directly into a PowerShell script block. A malicious task name containing characters like"@could terminate the here-string and execute arbitrary PowerShell commands on the host. - [COMMAND_EXECUTION]: The
scripts/scheduler.pydaemon executes theclaudeCLI viasubprocess.runusing content retrieved from.mdfiles in the.scheduled-tasks/tasks/directory. While this is the intended behavior, it provides a direct execution path for any content stored in those files. - [PROMPT_INJECTION]: The skill provides an indirect prompt injection surface by ingesting untrusted prompts and file patterns that are subsequently processed by the agent. Ingestion points:
scripts/create_task.py(--prompt and --focus-files arguments). Boundary markers: None (instructions are written directly to markdown files without delimiters). Capability inventory:subprocess.runexecution of the Claude CLI inscripts/scheduler.py. Sanitization: No validation or escaping is applied to user-provided prompt strings. - [PERSISTENCE]: The
scripts/scheduler.pyscript includes adaemonize()function and a continuous loop to maintain persistence on the host system, allowing tasks to run in the background across sessions.
Audit Metadata