skills/lvlup-sw/exarchos/checkpoint/Gen Agent Trust Hub

checkpoint

Fail

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The documentation in references/mcp-tool-reference.md explicitly recommends that users or agents install 'companion' tools by running npx create-exarchos. The npx command downloads and executes packages from the npm registry at runtime. Since the exarchos organization is not a verified trusted vendor, this pattern allows for the execution of arbitrary, unvetted remote code on the host system.
  • [PROMPT_INJECTION]: The skill's 'Structured Handoff Output' section in SKILL.md creates a surface for indirect prompt injection by persisting instructions across session boundaries.
  • Ingestion points: The checkpoint command generates a markdown summary that includes a 'House Rules' block; this content is designed to be re-read by the agent during the rehydrate phase in a new session.
  • Boundary markers: The handoff template lacks delimiters or instructions to treat the ingested state data as untrusted, allowing embedded imperatives to be interpreted as active system instructions.
  • Capability inventory: The skill exposes powerful state-mutation tools such as exarchos_workflow and exarchos_event which could be misused if the agent's behavior is manipulated via the handoff content.
  • Sanitization: There is no evidence of sanitization or validation logic to filter out malicious instructions from the handoff output.
  • Evidence: The template includes a dedicated ### House Rules section that explicitly commands the agent to 'apply every action this turn forward', effectively poisoning the agent's future context with potentially unverified mandates.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 7, 2026, 06:25 PM
Security Audit — agent-trust-hub — checkpoint