Skills
skills/treasure-data/td-skills/schedule-task/Gen Agent Trust Hub

schedule-task

Warn

Audited by Gen Agent Trust Hub on Mar 31, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides instructions and tools for creating and running arbitrary Bash and Python scripts on the host system. The schedule_run tool allows the agent to execute code defined in the scripts/ directory of a task.
  • [DATA_EXFILTRATION]: The system allows tasks to be configured with Slack permissions (slack_post_message, slack_upload_file). This creates a path for data residing on the local system or workspace to be transmitted to external Slack channels.
  • [PROMPT_INJECTION]: The skill relies on natural language instructions stored in TASK.md files to guide the agent's behavior during execution. This introduces an indirect prompt injection surface where a malicious TASK.md could override intended behavior.
  • Ingestion points: The agent reads instructions from {task-dir}/TASK.md and configuration from schedule.yaml.
  • Boundary markers: No specific delimiters are required to separate task instructions from system safety guidelines.
  • Capability inventory: The skill allows file system writes, shell command execution via Bash/Python, and network communication via Slack tools.
  • Sanitization: There is no mention of sanitizing or validating the content of the TASK.md or scripts before execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 31, 2026, 06:54 AM
Security Audit — agent-trust-hub — schedule-task