Skills
skills/phlegonlabs/harness-engineering-skills/harness-engineering-orchestrator/Gen Agent Trust Hub

harness-engineering-orchestrator

Fail

Audited by Gen Agent Trust Hub on Mar 28, 2026

Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect prompt injection attack surface identified (Category 8).
  • Ingestion points: Processes untrusted project documentation such as docs/PRD.md and docs/ARCHITECTURE.md to drive the orchestration logic.
  • Boundary markers: Utilizes decorative markers (e.g., , ) in references/runtime/orchestrator/context-builder.ts but lacks explicit structural delimiters or warnings to ignore embedded instructions in data.
  • Capability inventory: Possesses significant capabilities across the runtime files including subprocess execution (Bun.spawn in references/runtime/validation/helpers.ts), arbitrary file system writes (writeFileSync), and network health checks.
  • Sanitization: Lacks sanitization or escaping of the ingested document content before it is interpolated into the agent context.
  • [EXTERNAL_DOWNLOADS]: Downloads and executes the Bun runtime installer from https://bun.sh/install (for Unix) or bun.sh/install.ps1 (for Windows) during the setup phase if the runtime is missing.
  • [COMMAND_EXECUTION]: Executes a wide variety of shell commands derived from the state.toolchain configuration, including git, bun, npm, and turbo operations, which is intended but represents a risk if the state is manipulated.
Recommendations
  • HIGH: Downloads and executes remote code from: https://bun.sh/install - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 28, 2026, 04:32 AM