Skills
skills/imansmallapple/harmonyos-dev-skill/harmonyos-dev-pro/Gen Agent Trust Hub

harmonyos-dev-pro

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill is instructed to run 'node scripts/check_env.cjs' as part of its environment verification process. This script is missing from the provided skill files, which is a significant security risk as the execution logic cannot be audited or verified.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill executes 'ohpm install' to fetch third-party packages. Because the 'oh-package.json5' manifest is missing from the template assets, the external code and dependencies being introduced to the environment are unknown and unverifiable.
  • [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection through its interaction with 'build-profile.json5'.
  • Ingestion points: The agent is required to read 'build-profile.json5' to verify SDK versions ('targetSdkVersion' and 'compatibleSdkVersion').
  • Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands in the configuration file.
  • Capability inventory: The skill has powerful shell execution capabilities, including 'node', 'ohpm', 'git', and build tools ('hvigorw').
  • Sanitization: Absent. The agent uses data from the parsed file to make logic decisions and execute subsequent commands.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 02:40 PM