harness-automation
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill utilizes environment variables such as HARNESS_ACCOUNT and HARNESS_ORG for authentication and configuration. This is standard practice for CI/CD integrations, and the skill explicitly instructs the agent to never hard-code these identifiers.
- [COMMAND_EXECUTION]: Automation patterns involve the use of the hc CLI, curl for API access, and pwsh for running local scripts. The skill defines safety rules that prohibit bypassing verification hooks or force-pushing to protected branches.
- [REMOTE_CODE_EXECUTION]: The skill triggers remote pipeline executions on the Harness platform. To manage risk, the instructions mandate explicit user confirmation for all destructive operations, such as resource deletion or execution purging.
- [PROMPT_INJECTION]: The skill processes untrusted data from external sources (pipeline execution logs and resource metadata), which introduces a surface for indirect prompt injection.
- Ingestion points: Data returned from mcp__harness__harness_status, mcp__harness__harness_diagnose, and mcp__harness__harness_get in SKILL.md.
- Boundary markers: No explicit delimiters or instructions are provided to the agent to treat tool output as untrusted data.
- Capability inventory: The skill has the ability to trigger remote code (pipelines), create pull requests, and execute local shell commands (hc, curl, pwsh).
- Sanitization: No explicit sanitization of tool output is defined; however, the requirement for human confirmation on destructive actions serves as a primary mitigation.
Audit Metadata