I read in blog from Pete Finnigan about the potential security hole in DBMS_SCHEDULER package.
DBMS_SCHEDULER as a new alternative for DBMS_JOB by Patrick Sinke
Note that on some OS, like AIX5L / oracle 10.2.0.2, the job runs as ORACLE, not as NOBODY
but it does not run binaries, just interpreted shell scripts, so if you do not access to the system, you probably will not find a script to harm… you cannot run something like rm or mkdir