feat-harness
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the feature descriptions provided to the
/harness buildcommand. These descriptions influence the behavior of the Planner and Generator agents which have the capability to modify the repository.\n - Ingestion points: User-supplied feature descriptions in the
/harness build <feature>command and the ingestion of project files likepackage.jsonandREADME.mdto establish context.\n - Boundary markers: There are no explicit delimiters or specific instructions within the templates (e.g.,
references/agents/planner.md) to treat the feature description as potentially untrusted data or to ignore embedded instructions.\n - Capability inventory: The system allows the 'Generator' agent to write code and perform Git commits, and allows the 'Evaluator' to execute tests using tools like Playwright or CLI access.\n
- Sanitization: No sanitization or validation logic is defined to check the feature description for malicious instructions before it is processed by the agent chain.\n- [COMMAND_EXECUTION]: The 'Generator' and 'Evaluator' agent templates (in
references/agents/generator.mdandreferences/agents/evaluator.md) instruct the agents to build the project, run tests, and exercise new features. This capability to execute arbitrary code within the user's environment is the primary purpose of the skill, but it exposes the system to risk if the agents are influenced by an indirect prompt injection.
Audit Metadata