task-harness
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates a local shell script (init.sh) from a template and instructs the agent to execute it to restore environment context. This establishes a workflow pattern of running scripts generated by the agent, which carries inherent risks if the generation logic or underlying data is manipulated.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core functionality depends on the agent reading and executing 'steps' defined in external JSON and text files which could be influenced by untrusted sources.\n
- Ingestion points: The agent reads instructions and status updates from feature_list.json, progress.txt, and task.json (as specified in Step 4 of the SKILL.md and referenced templates).\n
- Boundary markers: Absent. There are no explicit delimiters or system instructions to ignore or sanitize embedded commands within the ingested task data.\n
- Capability inventory: The agent is empowered to modify files across the codebase, execute arbitrary command steps defined in the JSON, and perform git operations (commit/push).\n
- Sanitization: Absent. The skill does not implement validation, escaping, or filtering for the content of the tasks before they are processed by the agent.
Audit Metadata