harmony-arkts-development-assistant
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill mandates an automated 'auto run' build process using 'hvigorw' whenever code structure or dependencies are modified.
- [EXTERNAL_DOWNLOADS]: The 'auto run' process includes 'ohpm install', which fetches external dependencies from the OpenHarmony package registry.
- [PROMPT_INJECTION]: The instruction to automatically run build commands ('ohpm install') on project files creates a surface for indirect prompt injection or supply chain attacks. Malicious instructions or scripts embedded in dependency manifests (oh-package.json5) could be executed during the automated build phase. 1. Ingestion points: User-provided ArkTS source files and dependency configuration files. 2. Boundary markers: Absent; no instructions are provided to the agent to sanitize or ignore embedded scripts in the project configuration. 3. Capability inventory: Shell command execution via 'ohpm' and 'hvigorw' as specified in the Auto Run section. 4. Sanitization: Absent; the build process is triggered automatically on the modified files.
Audit Metadata