The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill uses npx to fetch the @metaharness/darwin package from the NPM registry at runtime. While NPM is a well-known service, the package scope is not recognized as a trusted vendor.
[REMOTE_CODE_EXECUTION]: The skill executes code downloaded via npx from a remote source. This pattern allows code from an external package to execute in the local environment.
[COMMAND_EXECUTION]: The skill constructs and executes shell commands using variable arguments like --population and --cycles. This creates a potential surface for command injection if these arguments are derived from unvalidated user input or configurations.

harness-security-bench