harness
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by reading data from potentially untrusted sources like
harness-tasks.json,harness-progress.txt, and session transcripts, and then injecting this content into the agent's context. - Ingestion points: Data is read from project-local state files and transcripts in
harness-sessionstart.py,harness-stop.py, andself-reflect-stop.py. - Boundary markers: Injected context is prefixed with identifiers like "HARNESS: ", but the skill does not use strict delimiters or provide instructions to the agent to ignore any embedded commands within the ingested data.
- Capability inventory: The agent is empowered with high-privilege capabilities including filesystem access and the execution of arbitrary shell commands through its tools.
- Sanitization: There is no evidence of sanitization or validation of the data read from these files before it is passed to the agent.
- [COMMAND_EXECUTION]: The skill framework is built around the agent executing shell commands specified in the project directory, such as
harness-init.shand thevalidation.commandfield in the task configuration. This allows the execution of arbitrary code within the agent's operating environment. - [PROMPT_INJECTION]: Multiple hook scripts (
harness-stop.py,harness-subagentstop.py,harness-teammateidle.py) are used to override the agent's default behavior by blocking session termination and idle states until specific internal task conditions are met, creating a persistent autonomous loop.
Audit Metadata