harness
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The framework's core logic requires the agent to execute arbitrary shell commands specified in the
validation.commandfield of theharness-tasks.jsonconfiguration. While functional for task verification, this architecture enables a direct path for arbitrary code execution if the task list is manipulated by malicious input or prompts.\n- [COMMAND_EXECUTION]: The framework is designed to automatically execute a localharness-init.shscript at the start of every session if it exists in the project root. This presents a vector for persistent arbitrary command execution within the agent's environment.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through its session reporting hooks (e.g.,harness-sessionstart.pyandharness-stop.py).\n - Ingestion points: The hooks ingest data from
harness-tasks.json(task titles, IDs, error logs) andharness-progress.txt(append-only activity log).\n - Boundary markers: Hook outputs are prefixed with "HARNESS: " but do not utilize robust delimiters or instructions to ignore embedded commands within the ingested task data reflected back to the agent.\n
- Capability inventory: The agent is granted capabilities to execute shell commands (
validation.command), modify the file system, and perform destructive git operations (git reset --hard).\n - Sanitization: No evidence of sanitization or filtering was found for task metadata or log strings before they are interpolated into the agent's system prompts.\n- [PROMPT_INJECTION]: The
reflect-on-stop.pyscript automatically injects a detailed "Self-Reflect" instruction set and checklist into the session upon task completion. This script also attempts to parse the session transcript file to extract and re-inject the user's original request, which could lead to context leakage or the re-activation of previously neutralized prompt injections.
Audit Metadata