Skills
skills/ruvnet/ruflo/harness-genome/Gen Agent Trust Hub

harness-genome

Warn

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill utilizes npx metaharness genome, which fetches the metaharness package from the npm registry at runtime if it is not already installed locally.
  • [REMOTE_CODE_EXECUTION]: Executing code via npx for a package from a public registry that is not associated with a trusted organization or well-known service constitutes remote code execution.
  • [COMMAND_EXECUTION]: The shell command npx metaharness genome <path> --json incorporates the <path> argument directly from user input. This creates a potential shell command injection vulnerability if the input is not sanitized, as an attacker could append malicious commands using shell metacharacters.
  • [REMOTE_CODE_EXECUTION]: The skill references an implementation script at ../../scripts/genome.mjs. This path points outside the standard skill directory structure, suggesting a dependency on unverified files in the host environment.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 18, 2026, 06:39 PM
Security Audit — agent-trust-hub — harness-genome