Back to skill

Security audit

Schedule Task

Security checks across malware telemetry and agentic risk

Overview

This scheduler is mostly what it claims to be, but it can persist arbitrary cron commands and mishandle the user's crontab in ways that may delete or fail to remove scheduled jobs.

Review carefully before installing. Back up your existing crontab first, avoid scheduling sensitive or destructive commands with this version, and do not rely on its remove/disable behavior until it preserves unrelated cron entries, marks its own managed jobs, validates cron/command/log fields, and restricts log reads to scheduler-owned files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Write new crontab
        new_crontab = current + line
        proc = subprocess.Popen(['crontab', '-'], stdin=subprocess.PIPE)
        proc.communicate(input=new_crontab.encode())
        
    except Exception as e:
Confidence
98% confidence
Finding
proc = subprocess.Popen(['crontab', '-'], stdin=subprocess.PIPE)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
new_crontab = "\n".join(lines) + "\n"
        if new_crontab.strip():
            proc = subprocess.Popen(['crontab', '-'], stdin=subprocess.PIPE)
            proc.communicate(input=new_crontab.encode())
    except Exception as e:
        print(f"Warning: Could not rebuild crontab: {e}")
Confidence
98% confidence
Finding
proc = subprocess.Popen(['crontab', '-'], stdin=subprocess.PIPE)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs users to invoke a scheduler that can add, remove, enable, and disable recurring jobs and execute arbitrary shell commands, yet it declares no permissions. That mismatch is dangerous because it hides privileged capabilities such as modifying scheduled execution and running commands automatically over time, reducing user awareness and weakening any permission-based review or approval process.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
`show_log` opens and prints whatever path is stored in the task's `log` field, with no restriction that it actually be a scheduler-created log file. An attacker who can create or modify a task can use this as an arbitrary local file read primitive for any file accessible to the current user, which exceeds the stated task-scheduling purpose.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
`rebuild_crontab` replaces the user's entire crontab with only entries present in the scheduler's JSON file. This can silently delete unrelated cron jobs, causing loss of automation, backups, monitoring, or security tasks; in the worst case it can disable important operational controls. Given the skill's purpose, modifying cron is expected, but destructive replacement of unrelated entries is broader and materially riskier than adding managed tasks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description presents the skill as simple task scheduling but does not warn that using it can modify cron scheduling and cause commands to run automatically and repeatedly without further user interaction. In this context, that omission is materially risky because recurring execution amplifies the effect of any mistaken, unsafe, or malicious command and may create persistence on the host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.