openspec-long-running-harness
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill executes arbitrary shell commands defined in configuration files and local scripts.
- Evidence: In
scripts/harness-end.sh(Line 80) andscripts/harness-verify-e2e.sh(Line 41), the variable$E2E_CMD(retrieved from.harness-config.json) is passed directly tobash -c. - Evidence: In
scripts/harness-start.sh(Line 34), the scriptopenspec/harness/init.shis executed automatically at the start of every session. - Risk: If an attacker can modify the
.harness-config.jsonorinit.shfile (e.g., via a malicious Pull Request), they can achieve arbitrary code execution on the user's machine when the agent runs this skill. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The agent is instructed to read
openspec/harness/progress.log.mdandopenspec/harness/feature_list.jsonat the start of every session (SKILL.md,agents/openai.yaml). - Boundary markers: Absent. The instructions do not specify delimiters or warnings to ignore instructions found within these files.
- Capability inventory: The agent has the capability to execute shell commands (via the harness scripts), perform git operations, and modify the file system.
- Sanitization: Absent. There is no logic to filter or sanitize the contents of the progress log or feature list before the agent processes them as instructions for the next steps.
- Risk: Malicious instructions embedded in the progress log or feature descriptions could redirect the agent's behavior in subsequent sessions.
Audit Metadata