Harness Engineer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed autonomous coding harness, but it requests broad agent, scheduling, repository-writing, and optional external-vault command authority that needs careful review before use.

Install only in a sandboxed repo or throwaway branch after verifying the platform controls listed in PLATFORM_REQUIREMENTS.md. Keep the default single-pass mode first, disable Obsidian export unless you trust and validate the vault path, and do not enable continuous mode, scheduler jobs, broad subagent spawning, or garbage-collection refactors without explicit review and cleanup controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Obsidian mode asks for an arbitrary absolute vault path and then directs subagents to run `claude --continue` in that user-supplied directory, causing code/agent actions outside the repository boundary. This creates a path-trust and command-execution risk: a malicious or mistaken path could lead to unintended writes, data exposure, or interaction with sensitive filesystem locations.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The loop explicitly instructs the agent to set cron jobs, monitor background subagents, kill stalled agents, and respawn new ones. In an autonomous engineering harness, these are privileged process-management and persistence behaviors that can outlive the user’s immediate session and affect the host environment, yet this file does not constrain them to an approved sandbox or require explicit per-action human consent.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The protocol explicitly allows tools to consume external content from web, MCP servers, and untrusted file paths, while also instructing the agent to continue operating after failures by logging and dispatching a debugger agent. In a persistent autonomous engineering harness, this expands trust boundaries and enables indirect prompt injection, unsafe data flow, and autonomous follow-on actions without requiring a human approval gate for risky external inputs.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation text includes a broad catch-all that triggers on essentially any request for an agentic engineering system that runs without constant human input. In a skill that orchestrates persistent autonomous coding, this can cause the skill to activate in contexts beyond the operator’s intent, increasing the chance of over-privileged automation, unsafe repository modification, or bypass of expected human review workflows.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The agent is configured to "run automatically" on a recurring schedule using a broad runtime trigger, without explicit scoping, approval gates, or strong activation constraints. In an autonomous engineering harness, that can cause unsupervised code modification, deletion, or refactoring across the repository based on heuristic signals such as staleness or duplication, increasing the chance of unintended changes and abuse if the agent is misconfigured or influenced by adversarial repository content.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs execution of external CLI commands in a user-supplied absolute path without an explicit warning or safety gate. In the context of an autonomous engineering harness, that is more dangerous because the system is designed to persist and act with limited human supervision, increasing the chance of unintended filesystem changes or execution in sensitive locations.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: These instructions authorize system-modifying actions—spawning subagents, killing them, and scheduling periodic checks—without a clear user-facing warning at the point of action. Even in a repo-engineering context, silent operational changes to the runtime environment can surprise users and create safety, auditability, and availability issues.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The rule mandates that every failure must create a repository artifact such as a constraint, test, or documentation entry, which authorizes autonomous repository changes by default. In an autonomous engineering harness, silent write behavior can surprise users, create unwanted commits, and alter project state without explicit contemporaneous consent or a prominent warning.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The document instructs persistent logging into MEMORY.md and multiple docs/status files without any explicit disclosure or data-minimization guardrails. In a long-running autonomous system, this can accumulate sensitive operational details, prompts, file paths, and failure context in the repository, increasing privacy and information-exposure risk.

Ssd 3

Medium

Confidence: 80% confidence
Finding: The instruction to record user vision verbatim increases the chance that sensitive business context, credentials, personal data, or confidential roadmap details are stored in plain text across status artifacts. In a persistent autonomous harness that writes many logs and handoff files, this materially increases retention and secondary exposure risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal