dayu-harness

No direct evidence of overt malware (no hardcoded secrets, no obvious external exfiltration endpoints, no reverse shells). The primary security risk is supply-chain execution: installer scripts are dynamically selected from manifest-provided .installer.script and executed from the local scripts directory, and the harness also performs authenticated GitHub issue/PR and branch automation. Security therefore hinges on integrity controls for manifests/scripts and strict least-privilege for the gh session; missing implementations for collect_* and helper escaping/writes prevent a fully definitive assessment of path traversal or JSON-handling correctness in this module.