harness-master

SUSPICIOUS. The core audit/apply behavior is broadly consistent with a harness-config review skill and its approval gate reduces misuse, but the built-in install guidance introduces a notable transitive trust problem: `npx skills add <source>` can install skills from arbitrary third-party repositories. This is not confirmed malware, yet the supply-chain footprint is broader than the main audit purpose and warrants medium risk.