multi-harness-portability
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill architecture facilitates the reading of external skill definitions and their installation into agent harness configuration files (e.g., CLAUDE.md, .cursor/rules/). This introduces a vulnerability surface for indirect prompt injection where malicious instructions embedded in a processed skill file could be persisted into the agent's governing rules.\n
- Ingestion points: The
SkillInstaller.parse_skillandextract_instructionsmethods in the provided implementation read and process content from external file paths supplied to the installer.\n - Boundary markers: The logic lacks boundary markers or explicit instructions to the agent to ignore embedded commands when interpolating external content into platform-specific configuration files.\n
- Capability inventory: The skill possesses the capability to perform directory creation (
Path.mkdir) and file writes (Path.write_text) to sensitive project-level configuration directories.\n - Sanitization: The implementation does not include sanitization or validation of the input skill content or metadata (like the skill name) before using it in file system operations, which could also lead to path traversal if the skill name is maliciously crafted.
Audit Metadata