harness-wizard
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted data that influences agent actions.\n
- Ingestion points: The 'Application Specification' collected in Phase 8 of the wizard (SKILL.md) and stored in Archon documents.\n
- Boundary markers: The generated prompt templates in
.harness/prompts/do not include explicit delimiters or instructions to ignore instructions embedded within the specification.\n - Capability inventory: The generated agents possess capabilities for shell command execution (bash), filesystem access, and repository management via the GitHub MCP server.\n
- Sanitization: No validation or sanitization is performed on the specification content before it is processed by the agents.\n- [COMMAND_EXECUTION]: The skill generates environment initialization scripts (
init.shandinit.ps1) and configures a pipeline where the 'Coder' and 'Tester' agents execute shell commands. Although it includes a phase for users to define security constraints (denyingsudo,rm -rf, andcurl), the core functionality depends on executing arbitrary code within the project directory.
Audit Metadata