checkpoint
Fail
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation in
references/mcp-tool-reference.mdexplicitly recommends that users or agents install 'companion' tools by runningnpx create-exarchos. Thenpxcommand downloads and executes packages from the npm registry at runtime. Since theexarchosorganization is not a verified trusted vendor, this pattern allows for the execution of arbitrary, unvetted remote code on the host system. - [PROMPT_INJECTION]: The skill's 'Structured Handoff Output' section in
SKILL.mdcreates a surface for indirect prompt injection by persisting instructions across session boundaries. - Ingestion points: The
checkpointcommand generates a markdown summary that includes a 'House Rules' block; this content is designed to be re-read by the agent during therehydratephase in a new session. - Boundary markers: The handoff template lacks delimiters or instructions to treat the ingested state data as untrusted, allowing embedded imperatives to be interpreted as active system instructions.
- Capability inventory: The skill exposes powerful state-mutation tools such as
exarchos_workflowandexarchos_eventwhich could be misused if the agent's behavior is manipulated via the handoff content. - Sanitization: There is no evidence of sanitization or validation logic to filter out malicious instructions from the handoff output.
- Evidence: The template includes a dedicated
### House Rulessection that explicitly commands the agent to 'apply every action this turn forward', effectively poisoning the agent's future context with potentially unverified mandates.
Recommendations
- AI detected serious security threats
Audit Metadata