harnass-engineer-plan

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill explicitly mandates automatic, post-approval execution (no further consent), can run arbitrary implementation/validation shell steps, read repository files (including .env-like files), and call external skills — a design that enables remote code execution, unauthorized repo modification, and potential data exfiltration if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly runs a WebSearch in the "web-search-market-stacks" step of documents/scenarios/research-and-plan.yaml, ingests findings into harnass-os/documents/inventory/current-state.yaml (market_context) and uses those findings to recommend stack changes and influence planning decisions, which exposes the agent to untrusted public web content that could carry indirect prompt-injection instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill mandates automatically executing implementation and deployment tasks (writing files, running build/deploy/entrypoint commands, and altering repo/runtime state) without further confirmation, which can change the machine's state and enable privileged or system-level modifications even though it doesn't explicitly request sudo or create users.