harnessprotocol/harness-validate
plugins/harness-share/skills/harness-validate/SKILL.md
Use when user invokes /harness-validate or wants to check whether a harness.yaml file is valid according to the Harness Protocol v1 JSON Schema. Reports validation errors with field paths and helpful fix suggestions.
$ install --global
skillsauthnpx skillsauth add harnessprotocol/harness-kit harness-validateInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 7:26 AM4.3s2 files scanned
SKILL.md
- name:
- harness-validate
- description:
- Use when user invokes /harness-validate or wants to check whether a harness.yaml file is valid according to the Harness Protocol v1 JSON Schema. Reports validation errors with field paths and helpful fix suggestions.
- disable-model-invocation:
- true
Validate a Harness Configuration
You are helping the user validate a harness.yaml file against the Harness Protocol v1 JSON Schema.
Workflow Order (MANDATORY)
Follow these steps in order. Do not skip any step.
Step 1: Find the file
Check for the harness file in this order:
- A path provided by the user after
/harness-validate(e.g.,/harness-validate ~/dotfiles/harness.yaml) ./harness.yamlin the current directory
If no file is found at either location, tell the user:
"No
harness.yamlfound. Specify a path:/harness-validate path/to/harness.yaml"
Read the file contents.
Step 2: Run validation
Install the validation tools if not present and run validation:
python3 -m venv /tmp/hk-validate-venv 2>/dev/null || true
/tmp/hk-validate-venv/bin/pip install jsonschema pyyaml -q 2>/dev/null || \
(python3 -m venv /tmp/hk-validate-venv && /tmp/hk-validate-venv/bin/pip install jsonschema pyyaml -q)
Then run this validation script:
import json, sys, yaml
try:
from jsonschema import validate, ValidationError, SchemaError
from jsonschema.validators import validator_for
except ImportError:
print("ERROR: jsonschema not installed")
sys.exit(1)
SCHEMA_URL = "https://raw.githubusercontent.com/harnessprotocol/harness-protocol/spec/v1-foundation/schema/draft/harness.schema.json"
HARNESS_FILE = "harness.yaml" # replace with actual path
# Fetch the schema
import urllib.request
try:
with urllib.request.urlopen(SCHEMA_URL, timeout=5) as resp:
schema = json.loads(resp.read())
except Exception as e:
print(f"WARN: Could not fetch remote schema ({e}). Falling back to basic checks.")
schema = None
# Load the harness file
try:
with open(HARNESS_FILE) as f:
doc = yaml.safe_load(f)
except yaml.YAMLError as e:
print(f"FAIL: YAML parse error — {e}")
sys.exit(1)
if schema is None:
# Basic offline checks
errors = []
if "version" not in doc:
errors.append("Missing required field: version")
elif doc["version"] not in ("1", 1):
errors.append(f"version must be \"1\" (string) or 1 (legacy integer), got: {doc['version']!r}")
if "metadata" not in doc:
errors.append("Missing required field: metadata")
elif "name" not in doc.get("metadata", {}):
errors.append("metadata.name is required")
if errors:
for e in errors:
print(f"FAIL: {e}")
else:
print("PASS (basic checks only — schema fetch failed)")
sys.exit(0)
# Full schema validation
try:
validate(instance=doc, schema=schema)
print("PASS")
except ValidationError as e:
path = " → ".join(str(p) for p in e.absolute_path) or "(root)"
print(f"FAIL: {path}: {e.message}")
except SchemaError as e:
print(f"ERROR: Schema itself is invalid — {e.message}")
Run the script with /tmp/hk-validate-venv/bin/python3 and capture the output.
Step 3: Report results
On PASS:
"Your
harness.yamlis valid — passes Harness Protocol v1 schema validation."
If the file uses version: 1 (integer, legacy format), add:
"Note: this is in the legacy format (
version: 1integer). Run/harness-exportto regenerate in Harness Protocol v1 format (version: \"1\"string)."
On FAIL (validation errors):
Display errors with clear field paths and fix suggestions:
✗ harness.yaml failed validation:
plugins → 0 → source: 'marketplace' is not a valid property
Fix: Use source: owner/repo instead of marketplace: key.
Example: source: harnessprotocol/harness-kit
env → 0: 'default' is not allowed when sensitive is true
Fix: Remove the default value — sensitive vars must be set by the user,
never baked into the harness file.
(root): version must be "1" (string), got 1 (integer)
Fix: Change version: 1 to version: "1" (add quotes).
Common errors and their fixes:
| Error | Fix |
|-------|-----|
| version must be string "1" | Change version: 1 to version: "1" |
| source is not a valid property | Replace marketplace: key with source: owner/repo |
| default not allowed when sensitive: true | Remove the default value |
| metadata.name is required | Add a metadata.name field |
| Unknown additional property | Check for typos in field names |
After listing errors:
"Fix these issues and run
/harness-validateagain to confirm."
On YAML parse error:
"Your
harness.yamlhas a YAML syntax error:[error details]Common causes: wrong indentation, missing quotes around special characters (like
:in strings), or a tab used instead of spaces."
Common Mistakes
| Mistake | Fix |
|---------|-----|
| Reporting only the first error | Show all errors, not just the first one |
| Giving up if schema fetch fails | Fall back to basic checks and tell the user the schema was unavailable |
| Suggesting marketplace: as a fix | Always recommend source: owner/repo — that's the v1 format |
Related Skills
harnessprotocol/rubber-ducky
development
VerifiedTrustedCommunity
Use when you've planned a non-trivial change and are about to implement it, finished a complex or multi-file piece of work, just wrote tests, or are stuck on repeated failures — and any time the user says "rubber duck this", "rubber ducky", "get a second opinion", "sanity-check my plan", "poke holes in this", "what am I missing", "critique my approach", "review this before I build it", or "/rubber-ducky". Spawns independent read-only critics on DIFFERENT Claude models than the one driving the session to catch blind spots, design flaws, and substantive bugs while course corrections are still cheap. Skip it only for small, obvious, well-understood changes. Do NOT use for reviewing a finished diff or PR — use /review for that; rubber-ducky pressure-tests your own in-progress thinking before and during implementation.
8SKILL.mdUpdated Jun 7, 2026
harnessprotocol/dependabot-sweep
tools
VerifiedTrustedCommunity
Use when the user wants to fix, address, clear, or resolve open Dependabot security/vulnerability alerts for a repository, end to end. Fetches open alerts via the gh CLI, fixes them per ecosystem (pnpm/npm overrides + lockfile regen, cargo update, pip/go/bundler), verifies with audit and frozen-lockfile installs, then branches → commits → pushes → opens a PR, and squash-merges once CI is green — escalating only when a fix carries breaking-change risk or can't be resolved. Trigger on "/dependabot-sweep", "address the dependabot alerts", "fix the security vulnerabilities", "clear the dependabot alerts", "handle the dependency vulnerabilities", "sweep dependabot".
8SKILL.mdUpdated Jun 7, 2026
harnessprotocol/harness-docs
tools
VerifiedTrustedCommunity
Harness Kit documentation — installation, plugin catalog, creating plugins, cross-harness setup, architecture, and FAQ. Use when working with or configuring harness-kit plugins, understanding the plugin/skill system, installing slash commands, setting up AI coding tool configuration, answering questions about the plugin marketplace, writing SKILL.md files, using harness.yaml, or integrating with Copilot, Cursor, or Codex. Do NOT use for general Claude Code questions unrelated to harness-kit.
1SKILL.mdUpdated Apr 18, 2026
harnessprotocol/stats
development
VerifiedTrustedCommunity
Use when user invokes /stats or asks about Claude Code usage, token consumption, session history, model distribution, or activity patterns. Generates an interactive HTML dashboard with charts and tables, auto-opens in browser. Also triggers on "how much have I used Claude", "show my usage", "token usage", "session stats", "usage report", "usage dashboard". Do NOT use for API billing or cost estimation — token counts are not costs.
1SKILL.mdUpdated Apr 16, 2026