Skills
skills/phlegonlabs/skills/harnass-engineer-plan/Gen Agent Trust Hub

harnass-engineer-plan

Warn

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The SKILL.md and research-and-plan.yaml files include 'CRITICAL EXECUTION RULES' that explicitly command the agent to ignore standard turn-taking protocols. The instructions 'Do NOT ask "should I proceed?"' and 'Do NOT wait' after a plan is approved are designed to bypass human-in-the-loop safety checkpoints for all subsequent implementation tasks.
  • [COMMAND_EXECUTION]: The skill frequently invokes the Bash tool to perform repository scanning and project management. Notable commands include 'ripgrep' (rg) for searching directory contents and 'python -c' for extracting scripts from package.json and checking for the presence of lock files. It also uses git commands for worktree and branch management during the implementation phase.
  • [REMOTE_CODE_EXECUTION]: The 'begin-implementation' step in research-and-plan.yaml defines a flow where the agent executes arbitrary shell commands found in 'task.implementation_steps' and 'task.validation_commands' without further user verification. This allows for the automated execution of generated or repository-derived code sequences.
  • [EXTERNAL_DOWNLOADS]: The 'web-search-market-stacks' step utilizes the WebSearch tool to fetch external data regarding framework readiness and best practices. While used for research, this process introduces unverified external content into the agent's decision-making context.
  • [INDIRECT_PROMPT_INJECTION]: The skill demonstrates an attack surface for indirect injection by ingesting data from untrusted local files like 'package.json', 'wrangler.toml', and '.env.example'.
  • Ingestion points: repository configuration files and source code directories are scanned via ripgrep.
  • Boundary markers: The skill does not implement delimiters or 'ignore' instructions when processing external repository data.
  • Capability inventory: The agent possesses 'Bash', 'Write', and 'WebSearch' capabilities.
  • Sanitization: No explicit sanitization or validation of the data extracted from the repository is performed before it is used to construct implementation tasks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 8, 2026, 03:12 AM