Skills
skills/ruvnet/ruflo/harness-similarity/Gen Agent Trust Hub

harness-similarity

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill utilizes npx ruflo to execute the comparison logic. Using npx involves downloading the specified package from the npm registry if it is not already cached locally.
  • [COMMAND_EXECUTION]: The skill executes shell commands via npx to invoke the metaharness similarity tool. These commands accept user-provided file paths or memory keys as arguments, which are then used as inputs for the similarity calculation.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of untrusted data from JSON fingerprints.
  • Ingestion points: The skill reads external JSON data from files or memory records specified via the --a, --b, --a-key, or --b-key arguments in SKILL.md.
  • Boundary markers: There are no defined delimiters or instructions to ignore embedded malicious content within the processed JSON files.
  • Capability inventory: The skill possesses Bash capabilities and can execute commands via npx and local scripts as defined in SKILL.md.
  • Sanitization: No sanitization or schema validation of the input JSON content is mentioned in the skill definition.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 06:39 PM
Security Audit — agent-trust-hub — harness-similarity