ghm-harvest
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No security vulnerabilities or malicious patterns were identified. The skill follows best practices for managing project documentation and local file organization.
- [DATA_EXPOSURE]: The skill processes project-related data such as business rules, user research, and API designs. All operations are confined to the local filesystem (moving files from
temp/toSoT/orarchive/), with no indications of data exfiltration or unauthorized access to sensitive system files. - [COMMAND_EXECUTION]: The skill instructions mention the use of a tool named
ghm-id-registerfor generating document IDs. This appears to be a local project-specific utility. The skill uses standard filesystem tools (Read,Write,Edit,Glob,Grep) as permitted in its configuration for its intended purpose of document management. - [PROMPT_INJECTION]: While the skill ingests untrusted content from temporary files (indirect prompt injection surface), this is inherent to its primary function as a documentation processor. The skill provides structured templates and clear logical boundaries for the extraction process, which mitigates accidental execution of instructions embedded in the processed data.
Audit Metadata