schedule
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill allows for the creation of scheduled tasks that deliver text messages (prompts) to agents at a future time. This creates a surface for indirect prompt injection where malicious instructions can be persisted and executed with a delay.
- Ingestion points: Untrusted data enters the system via the
--messageargument inscripts/schedule.shor themessagefield in the/api/schedulesREST endpoint. - Boundary markers: The skill does not implement delimiters or instructions to ignore embedded commands within the scheduled messages.
- Capability inventory: Scheduled messages are delivered to agents who may have high-privilege capabilities such as file system access or shell execution.
- Sanitization: While
scripts/schedule.shperforms basic character escaping for JSON compatibility, it does not sanitize the content of the message for malicious instructions. - [COMMAND_EXECUTION]: The
scripts/schedule.shutility manually constructs JSON payloads forcurlcommands using string concatenation. Several variables, including--agent,--channel, and--sender, are interpolated into the JSON string without escaping, which could lead to malformed JSON or payload injection if these arguments contain double quotes or other special characters.
Audit Metadata