harness
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill framework instructs the agent to execute arbitrary shell commands defined in the 'harness-tasks.json' configuration file, specifically within the 'validation.command' and 'on_failure.cleanup' fields. It also executes an optional 'harness-init.sh' script during session initialization and performs potentially destructive Git operations such as 'git reset --hard' and 'git clean -fd' as part of its rollback logic.
- [PROMPT_INJECTION]: The skill uses custom hooks ('harness-stop.py', 'harness-teammateidle.py') that return 'block' decisions to the agent. These decisions contain explicit instructions that override the agent's natural stopping behavior to ensure continuous task execution. Additionally, the 'self-reflect-stop.py' hook injects a detailed 'Self-Reflect' prompt with a checklist for the agent to follow upon task completion. This constitutes a direct injection of instructions into the agent's workflow.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface due to its data-driven architecture: \n
- Ingestion points: The framework reads task metadata and commands from 'harness-tasks.json' and 'harness-progress.txt' in the project directory.\n
- Boundary markers: Injected context is often prefixed with 'HARNESS:', but there are no strict delimiters or instructions to ignore embedded commands read from external files.\n
- Capability inventory: The agent is empowered to execute shell commands, manage background processes, and modify the file system via Git.\n
- Sanitization: No sanitization or validation is performed on the commands or text read from the configuration files before they are used to drive agent actions.
Audit Metadata