How to Prevent AI Agents from Creating Cron Jobs

SafeClaw by Authensor blocks cron job creation and all scheduled task mechanisms by default, preventing AI agents from establishing persistent, recurring execution on your system. Install SafeClaw with npx @authensor/safeclaw and every attempt to create crontab entries, at jobs, or systemd timers is denied and recorded in a hash-chained audit log.

Why Cron Job Creation Is Dangerous When AI Agents Do It

Cron jobs persist beyond the agent's session. An agent that creates a cron job establishes a foothold that executes code on a schedule, independent of any future safety controls. This is a classic persistence technique in security attacks: the cron job can re-download malware after cleanup, exfiltrate data at regular intervals, maintain reverse shells, or consume system resources with cryptomining. Even benign-seeming cron jobs are dangerous when created by agents — an agent might create a job that runs a script it hallucinated, consuming resources or producing errors indefinitely. The cron daemon runs with the user's full permissions and has no concept of action gating, so any cron job created by an agent bypasses all future SafeClaw protections unless the cron job itself invokes SafeClaw-gated tools.

The Exact SafeClaw Policy to Block Cron Job Creation

Add these rules to .safeclaw/policy.yaml:

rules:
  # Block crontab modifications
  - id: deny-crontab-edit
    action: shell.exec
    match:
      command: "crontab -e*"
    effect: deny
    audit: true
    message: "Crontab editing is permanently denied for AI agents."

- id: deny-crontab-install
    action: shell.exec
    match:
      command: "crontab *"
    effect: deny
    audit: true
    message: "Crontab modification is denied."

# Block direct cron file writes
  - id: deny-write-cron-d
    action: file.write
    match:
      path: "/etc/cron.d/*"
    effect: deny
    audit: true
    message: "Writing to /etc/cron.d is denied."

- id: deny-write-crontab
    action: file.write
    match:
      path: "/crontab"
    effect: deny
    audit: true
    message: "Writing crontab files is denied."

- id: deny-write-cron-dirs
    action: file.write
    match:
      path: "/etc/cron./"
    effect: deny
    audit: true
    message: "Writing to cron directories is denied."

# Block at command (one-time scheduled tasks)
  - id: deny-at-command
    action: shell.exec
    match:
      command: "at *"
    effect: deny
    audit: true
    message: "at command scheduling is denied."

- id: deny-batch-command
    action: shell.exec
    match:
      command: "batch*"
    effect: deny
    audit: true
    message: "batch command scheduling is denied."

# Block systemd timer creation
  - id: deny-systemctl-enable-timer
    action: shell.exec
    match:
      command: "systemctl enabletimer"
    effect: deny
    audit: true
    message: "Systemd timer creation is denied."

- id: deny-write-systemd-timer
    action: file.write
    match:
      path: "/etc/systemd/system/*.timer"
    effect: deny
    audit: true
    message: "Writing systemd timer files is denied."

This comprehensive policy blocks all scheduling mechanisms: crontab commands, direct writes to cron directories, at for one-time jobs, batch for load-deferred execution, and systemd timers — the modern replacement for cron on systemd-based systems.

What Happens When the Agent Tries

When an agent attempts crontab -e or pipes content to crontab:

1. SafeClaw intercepts the shell.exec action.
2. The deny-crontab-edit or deny-crontab-install rule matches.
3. The command is blocked. No crontab entry is created.
4. Audit entry:

{
  "timestamp": "2026-02-13T07:30:55Z",
  "action": "shell.exec",
  "command": "crontab -l | { cat; echo '/5    * /tmp/agent-task.sh'; } | crontab -",
  "effect": "deny",
  "rule": "deny-crontab-install",
  "agent": "automation-agent-01",
  "hash": "k9m6p3...chain"
}

The audit log captures the full compound command, revealing both the schedule (/5 *) and the script the agent intended to run (/tmp/agent-task.sh).

How to Allow Specific Scheduled Tasks with Approval

For automation workflows that legitimately need scheduling:

rules:
  - id: deny-crontab-edit
    action: shell.exec
    match:
      command: "crontab -e*"
    effect: deny
    audit: true
    message: "Interactive crontab editing is permanently denied."

- id: approve-crontab-install
    action: shell.exec
    match:
      command: "crontab *"
    effect: approval
    audit: true
    approvers:
      - role: sysadmin
    timeout: 300
    message: "Crontab changes require sysadmin approval. Full command logged."

The sysadmin sees the exact crontab content — including the schedule, command, and any piped input — before approving. Interactive editing (crontab -e) remains hard-denied because it requires terminal interaction incompatible with approval review.

Verification

npx @authensor/safeclaw simulate --action 'shell.exec' --command 'crontab -e'
Expected: deny, rule: deny-crontab-edit

npx @authensor/safeclaw simulate --action 'file.write' --path '/etc/cron.d/agent-task'
Expected: deny, rule: deny-write-cron-d

Related Pages

• How to Prevent AI Agents from Modifying System Configuration
• How to Gate Shell Command Execution in AI Agents
• Scenario: Agent Created Backdoor
• Least Privilege for AI Agents