harness-work
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute repository management and code processing commands, including git, mktemp, and timeout. It also calls vendor-specific CLI utilities such as harness-plan and codex to automate the software implementation lifecycle. These operations are restricted to the intended functional scope of the skill.
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by ingesting untrusted task descriptions from Plans.md and interpolating them into sub-agent instructions. 1. Ingestion points: Task '内容' (content) and 'DoD' (Definition of Done) fields in Plans.md. 2. Boundary markers: No explicit delimiters or instructions to ignore embedded commands were identified. 3. Capability inventory: The skill and its workers have access to Bash, Write, Edit, and sub-agent spawning. 4. Sanitization: No sanitization of ingested task data was observed before prompt construction. This is a common design pattern in automation skills and is documented here as an inherent risk factor.
Audit Metadata