Back to skill

Security audit

Cron Task

Security checks across malware telemetry and agentic risk

Overview

This skill openly creates recurring task automation with generated scripts, Feishu notifications, and multi-destination archiving, but users should review credentials and destinations before use.

Install only if you want an agent to create recurring scheduled automation that writes a Python executor, runs commands, sends Feishu messages, and archives outputs to Feishu Cloud Drive, local Obsidian, and IMA. Before enabling a schedule, review the generated executor and Schedule message, remove any secret-prefix printing, confirm the timezone, and use least-privilege Feishu/IMA credentials with content that is safe to upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares powerful capabilities such as file writes, shell execution, environment-variable use, and network access, yet the analyzer indicates these are not reflected in explicit permission declarations. This creates a trust and review gap: operators may approve or invoke the skill without understanding that it can write local files, run commands, and contact external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description says it creates and configures a scheduled-task workflow with readiness checks, but the analyzed behavior reportedly performs live execution, network requests, and local writes while omitting the promised validation and scheduler configuration. This mismatch is dangerous because users may grant trust based on the description while the skill actually performs materially different, more invasive actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly advertises script generation, scheduled task creation, archiving to multiple destinations, and Feishu IM notifications, but it does not clearly warn users that using the skill will create files, configure recurring execution, and transmit task outputs to external services. This can cause users to enable persistent automation and data exfiltration paths without informed consent, especially because the feature set is framed as a convenience workflow rather than a potentially high-trust operation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to trigger automatic scheduled-task creation and script generation, but it does not clearly warn that this behavior will modify the user's environment by creating runnable artifacts and persistent scheduled automation. In an agent-skill context, that omission is security-relevant because users may invoke the skill conversationally without realizing it can create durable execution paths, increasing the risk of unintended persistence or misuse of existing credentials and integrations.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill hardcodes Asia/Shanghai as the default timezone for schedule creation without requiring user opt-in. In automation workflows, forced locale/timezone assumptions can cause tasks to run at unintended times, leading to missed reports, duplicate processing, or actions outside expected business windows.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script sends generated briefing content to an external third-party API without any in-script gating, classification check, or explicit operator confirmation. In this skill context, scheduled tasks may process arbitrary project data, so silent outbound transmission increases the risk of unintentionally exporting sensitive internal content to IMA.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs the skill to send briefing content and API credentials to a third-party remote service (IMA) but does not require any user-facing disclosure, consent, or data-classification check before transmission. In a cron-task context, this is more dangerous because uploads happen automatically and repeatedly, increasing the chance that sensitive context, internal summaries, or secrets are exfiltrated off-host without the user realizing it.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The checklist explicitly instructs printing the first 8 characters of sensitive environment variable values, which can leak secret material into terminals, logs, screenshots, or shared debugging transcripts. Even partial secret disclosure reduces entropy and increases exposure risk, especially in an automation/debugging workflow where outputs may be archived or sent across systems.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The template tells the scheduler/agent to 'execute the full workflow' and immediately run a shell command, but it does not define strong trigger guardrails, approval requirements, or scope constraints beyond general prose elsewhere. In a scheduling context, ambiguous execution language increases the chance that a periodic agent runs powerful local scripts in the wrong project, with the wrong parameters, or after incomplete review, turning misconfiguration into unintended code execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly instructs the agent to read credentials from environment variables and then send data to Feishu IM, Feishu cloud storage, Obsidian, and an IMA knowledge base, yet it provides no user-facing consent, data classification, or restrictions on what may be archived or transmitted. In an automated recurring workflow, this creates a real risk of silent data exfiltration, oversharing sensitive outputs, or storing confidential content in multiple external destinations without adequate review.

External Transmission

Medium
Category
Data Exfiltration
Content
raise EnvironmentError("IMA credentials not configured")

        # Step 1: Create note
        url1 = "https://api.imawiki.com/openapi/note/v1/import_doc"
        data1 = json.dumps({
            "title": f"{TASK_NAME}-{date_str}",
            "content": content,
Confidence
86% confidence
Finding
https://api.imawiki.com/

External Transmission

Medium
Category
Data Exfiltration
Content
logger.info(f"✅ IMA note created: {note_id}")

        # Step 2: Add to knowledge base
        url2 = "https://api.imawiki.com/openapi/wiki/v1/add_knowledge"
        data2 = json.dumps({
            "kb_id": IMA_KB_ID,
            "media_type": 11,
Confidence
83% confidence
Finding
https://api.imawiki.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.