scheduled-task
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill allows users to schedule arbitrary instructions via the
promptfield for future execution. The documentation explicitly states that when these tasks run, all tool calls are automatically approved (auto-approve), bypassing the standard requirement for manual user confirmation. This creates a persistence surface for potentially malicious instructions to be executed without supervision later. - [COMMAND_EXECUTION]: The script
scripts/create-task.shperforms several shell operations, including: - Using
catto read payload data from temporary files (via the@filesyntax). - Executing a bundled JavaScript snippet using
nodeor an Electron runtime to perform HTTP requests. - Using
curlorwgetas fallback mechanisms for network communication. - [DATA_EXFILTRATION]: The skill transmits task configuration data, including the name, execution prompt, and working directory, to an internal API endpoint defined by the
LOBSTERAI_API_BASE_URLenvironment variable. While this is described as an internal proxy, the transmission of potentially sensitive instruction data to a network endpoint should be noted.
Audit Metadata