Skills
skills/ruvnet/ruflo/harness-mint/Gen Agent Trust Hub

harness-mint

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx metaharness to fetch and execute the scaffolding utility from the npm registry. This is the core functionality of the skill.
  • [COMMAND_EXECUTION]: Shell commands are used to invoke the metaharness tool via npx to create new directory trees.
  • [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because user-provided values for arguments like --name and --template are interpolated into shell commands.
  • Ingestion points: User input provided via agent prompts for the --name, --template, and --host arguments in SKILL.md.
  • Boundary markers: Absent; the instructions do not describe the use of delimiters or escaping for the user-controlled arguments.
  • Capability inventory: Subprocess execution via npx within the scripts/mint.mjs script.
  • Sanitization: The documentation states that the skill validates --name and --template and performs safety checks on the target path, providing a layer of protection against malicious input.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 06:39 PM
Security Audit — agent-trust-hub — harness-mint