Re: Hold your horses
Just to reiterate:
"Exposing a Salt master to the internet is not best practice and firewall security should be implemented."
In terms of tasks, you should have more than just setup scripts - there will likely be inventory and validation scripts to make sure your clients are working as expected. If you can get a job injected into the Salt master, it will likely distribute your exploit far and wide.
I feel that its worth mentioning something about the wisdom of allowing your configuration management servers to be publicly accessible on the Internet. Wait....if I say it's part of an IoT deployment that will make it ok.