cron

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill implements a 'Task' mode where the agent is instructed to treat the content of a message parameter as a task description to be executed later. This creates an indirect prompt injection surface where the agent could be forced to perform unauthorized actions if the task content originates from untrusted data.
  • Ingestion points: The message parameter in the cron tool defined in SKILL.md.
  • Boundary markers: There are no delimiters or explicit instructions provided to the agent to treat the message as untrusted data or to ignore embedded instructions.
  • Capability inventory: The agent is given the capability to 'execute' the task, which implicitly grants access to all tools and operations within the agent's scope.
  • Sanitization: No sanitization or validation logic is specified for the message content.
  • [DATA_EXFILTRATION]: The skill's ability to schedule recurring tasks that interact with external repositories (e.g., checking GitHub stars in the provided example) introduces a risk of scheduled data exfiltration. If a task is configured to read sensitive local files or environment variables and then perform a network operation, it could be used to periodically leak information to a remote server.
  • [COMMAND_EXECUTION]: The persistence mechanism inherent in a scheduling tool allows for the creation of background tasks that run without active user presence or oversight. This functionality can be abused to maintain long-term access or perform background command execution (via the agent's tools) for malicious purposes, such as continuous system monitoring or periodic execution of malicious payloads.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 03:25 PM
Security Audit — agent-trust-hub — cron