LLM agents increasingly run inside execution harnesses that dispatch tools, allocate resources, and route messages between specialized components. However, a harness can return a correct, benign answer over a trajectory that accesses unauthorized resources or leaks context to the wrong agent. Output-level evaluation cannot see these failures, yet most safety benchmarks score only final outputs or terminal states, even though many violations occur mid-trajectory rather than at termination. The central question is whether the harness respects user intent, permission boundaries, and information-flow constraints throughout execution. To address this gap, we propose HarnessAudit, a framework that audits full execution trajectories across boundary compliance, execution fidelity, and system stability, with a focus on multi-agent harnesses where these risks are most pronounced. We further introduce HarnessAudit-Bench, a benchmark of 210 tasks across eight real-world domains, instantiated in both single-agent and multi-agent configurations with embedded safety constraints. Evaluating ten harness configurations across frontier models and three multi-agent frameworks, we find that: (i) task completion is misaligned with safe execution, and violations accumulate with trajectory length; (ii) safety risks vary across domains, task types, and agent roles; (iii) most violations concentrate in resource access and inter-agent information transfer; and (iv) multi-agent collaboration expands the safety risk surface, while harness design sets the upper bound of safe deployment.

翻译：大语言模型智能体越来越多地在执行框架内运行，这些框架负责调度工具、分配资源以及在专门组件之间路由消息。然而，一个执行框架可能会在一条访问了未授权资源或向错误智能体泄露上下文的轨迹上，返回一个正确且无害的答案。输出级评估无法发现这些故障，但多数安全基准仅对最终输出或终止状态进行评分，即便许多违规行为发生在轨迹中途而非终点处。核心问题在于，执行框架在整个执行过程中是否尊重用户意图、权限边界以及信息流约束。为填补这一空白，我们提出了HarnessAudit，这是一个对完整执行轨迹进行审计的框架，涵盖边界合规性、执行保真度和系统稳定性，重点关注这些风险最为突出的多智能体执行框架。我们进一步引入了HarnessAudit-Bench，这是一个包含210个任务、跨越八个真实世界领域的基准测试集，以单智能体和多智能体两种配置实例化，并嵌入了安全约束。通过对领先模型以及三种多智能体框架下的十种执行框架配置进行评测，我们发现：(i) 任务完成度与安全执行之间存在偏差，违规行为随轨迹长度累积；(ii) 安全风险因领域、任务类型和智能体角色而异；(iii) 大多数违规行为集中在资源访问和智能体间信息传输环节；(iv) 多智能体协作扩大了安全风险面，而执行框架设计则决定了安全部署的上限。