harness-expert
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill documents templates that ingest runtime data via <+input> placeholders, creating an indirect prompt injection surface.
- Ingestion points: Numerous variables like verify_script, manifest_repo, and app_name in SKILL.md allow external data entry.
- Boundary markers: The YAML schema provides structural boundaries, but shell script blocks (script: |) lack specific delimiters to prevent instruction injection.
- Capability inventory: The skill allows the agent to use Bash, Write, Edit, and WebFetch tools.
- Sanitization: No sanitization or validation logic is present in the examples to handle potentially malicious input values.
- [COMMAND_EXECUTION]: The skill provides templates for executing shell scripts to perform Kubernetes management (kubectl), version control (git), and testing (newman). These are intended for use in an isolated CI/CD environment.
- [DATA_EXFILTRATION]: Includes examples of HTTP requests to external services like Slack and ArgoCD. These examples correctly demonstrate using Harness secret references (<+secrets.getValue()>) to securely handle sensitive tokens.
Audit Metadata