Skills
skills/zshs000/task_scheduler/task-reminder/Gen Agent Trust Hub

task-reminder

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • COMMAND_EXECUTION (HIGH): The skill starts a local FastAPI server (assets/project/server/main.py) that provides a /tasks endpoint. This endpoint accepts a script_path and script_args which are directly passed to subprocess.run in assets/project/server/scheduler.py. This allows any process (or potentially a browser-based attack targeting localhost) to execute arbitrary Python scripts on the user's machine.
  • Evidence: assets/project/server/scheduler.py uses subprocess.run(["python", str(script_path)] + script_args, ...) where script_path is an unvalidated string provided via the API.
  • EXTERNAL_DOWNLOADS (MEDIUM): The scripts/start_server.py script automatically creates a Python virtual environment and installs dependencies from requirements.txt using pip install. While the listed packages are common, automatic execution of package managers during a skill's 'start' phase is a security risk.
  • Evidence: scripts/start_server.py executes subprocess.run([str(venv_python), "-m", "pip", "install", "-r", str(requirements_path)], check=True).
  • CREDENTIALS_UNSAFE (LOW): The skill relies on config/email_config.json to store SMTP credentials (smtp_user, smtp_password) in plain text. Although the provided file uses placeholders ('xxx'), it encourages the user to store sensitive secrets in an unencrypted configuration file.
  • Evidence: config/email_config.json contains keys for smtp_user and smtp_password.
  • INDIRECT PROMPT INJECTION (LOW): The skill processes user-supplied reminder content and interpolates it into the arguments of the email-sending script. While subprocess.run is used with a list (reducing shell injection risk), the lack of sanitization on the 'content' field could lead to unexpected behavior if the downstream script handles arguments unsafely.
  • Evidence Chain:
    1. Ingestion point: User input for reminder content in SKILL.md.
    2. Boundary markers: None (direct interpolation).
    3. Capability inventory: subprocess.run execution of scripts/send_email.py.
    4. Sanitization: None detected in scripts/remind.py or assets/project/server/scheduler.py.
Recommendations
  • HIGH: Downloads and executes remote code from: http://127.0.0.1:8000/health - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:36 PM