harness-engineer-cli

SUSPICIOUS. The skill's main behavior is broadly consistent with project bootstrapping, and referenced vendors appear legitimate, but it introduces unnecessary transitive trust by reading another skill's content from local/session sources and copying it verbatim into the repo. No direct credential harvesting or malicious exfiltration is evident, so this is not confirmed malware; the primary concern is moderate supply-chain and prompt-injection risk from imported skill content.