harness-engineering-orchestrator
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a runtime orchestration engine that manages the project lifecycle by executing local development tools including Git and the project's specific toolchain (e.g., Bun, TypeScript, Linters, and Test Runners). These operations are performed via
Bun.spawnandBun.spawnSyncand are fundamental to the skill's intended functionality. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests and parses user-provided documentation such as product requirements (
docs/PRD.md) and architectural specifications. This risk is mitigated by explicit design patterns: - Ingestion Points: Untrusted data enters the agent context through the reading of
docs/PRD.md,docs/prd/*.md, anddocs/ARCHITECTURE.mdduring backlog parsing and task dispatch. - Boundary Markers: The system utilizes managed file markers (e.g.,
<!-- BEGIN:MARKER -->) and enforces a strict trust hierarchy defined inSKILL.mdandAGENTS.md(Guardian G11), which treats external content as data only. - Capability Inventory: The runtime is capable of file manipulation, Git operations, and execution of configured build/test scripts.
- Sanitization: Input is processed using structural regex patterns rather than direct evaluation, and identifiers like workspace names are slugified for filesystem safety.
- [REMOTE_CODE_EXECUTION]: Automated security scans flagged installation patterns for the Bun runtime (
curl | bash). A manual review ofscripts/setup/core.tsandreferences/runtime/validation/env-and-guardians.tsconfirms that these strings are provided as instructional logs to assist users with environment setup if the runtime is missing, and are not executed by the skill itself.
Audit Metadata