long-running-agent-harness
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The coding agent prompt in
references/coding-prompt.mdinstructs the agent to applychmod +xto and execute generated shell scripts (e.g.,_working/init_myapp.sh). It also mandates the execution of arbitrary commands defined in the_working/agent-runbook.mdfile without further validation. - [REMOTE_CODE_EXECUTION]: The initializer agent (
references/initializer-prompt.md) is tasked with creating scripts that perform dependency installation and service startup. The subsequent automated execution of these scripts by the coding agent constitutes a remote code execution risk if the initial design doc requirements are compromised. - [PROMPT_INJECTION]: The workflow is vulnerable to indirect prompt injection through the
_working/design.mdfile. Malicious input in this document can influence the initializer agent to generate dangerous instructions in the scripts and runbooks. Evidence: 1. Ingestion points:_working/design.md. 2. Boundary markers: None. 3. Capability inventory: Subprocess calls via init scripts and runbook commands. 4. Sanitization: None. - [DATA_EXFILTRATION]: The automated use of
git add .andgit commitby the coding agent for progress tracking may lead to the accidental commitment and exposure of sensitive local files or credentials if they are present in the workspace and not explicitly ignored.
Audit Metadata