install
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs dynamic command assembly and execution using
npx skills add <source> --skill <name> -y. The<source>and<name>parameters are retrieved from a local configuration file (~/.config/harness/manifest.json), which could lead to the execution of arbitrary code if the manifest points to malicious repositories. - [REMOTE_CODE_EXECUTION]: By utilizing
npxto fetch skills from external sources, the skill facilitates the downloading and running of remote code. The instructions specifically demonstrate fetching from repositories such asmyuon/agent-skills. - [DATA_EXFILTRATION]: The skill accesses sensitive local configuration files in the user's home directory (
~/.config/harness/manifest.json) and project-specific decision logs (.harness-decisions.json). While used for its primary function, this demonstrates access to private system metadata. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its decision-making logic relies on reading untrusted project files like
package.json,next.config.js, andgo.mod. An attacker who can modify these files could manipulate the agent into installing unauthorized or malicious skills. - Ingestion points:
package.json,next.config.js,vite.config.ts,go.mod,Cargo.toml, and directory structure checks. - Boundary markers: None identified; the skill reads file contents directly to evaluate conditions.
- Capability inventory: Shell command execution via
npx, file system read access to configuration and project files, and file system write access to.harness-decisions.json. - Sanitization: No input validation or sanitization is mentioned for the values extracted from the manifest or project files before being interpolated into shell commands.
Audit Metadata