checkpoint
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to automatically discover and read sensitive authentication credentials (e.g.,
cliApiToken) from local configuration files located at~/.hapi/settings.jsonand~/.hapi/runner.state.json. It also archives complete conversation histories from the Hapi API into local markdown files within the project's.checkpoints/directory.\n- [PROMPT_INJECTION]: The skill implements a 'Persistent Execution Protocol' that explicitly instructs the agent to bypass user confirmation and proceed with tasks autonomously ('不要在每个 step 之间停下等待用户确认'), which removes human-in-the-loop oversight. It also introduces a vulnerability to indirect prompt injection.\n - Ingestion points: archived conversation files in
.checkpoints/threads/<thread-id>/history/containing previous user and assistant messages.\n - Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are used when the agent reads or searches these archives.\n
- Capability inventory: Extensive capabilities including file system modification, Git command execution (
git commit,git status), and network operations viacurlto the Hapi API.\n - Sanitization: Historical content is read and processed without validation or filtering for potentially malicious embedded instructions.\n- [COMMAND_EXECUTION]: The skill relies on extensive shell command execution using
node -eandcurlto process data and interact with the Hapi API, as seen in the credential discovery and session handoff procedures.\n- [REMOTE_CODE_EXECUTION]: The skill automates the creation of new AI agent sessions on remote or local 'machines' via the Hapi spawn API (/api/machines/:id/spawn), enabling the programmatic spawning and execution of new agent contexts.
Audit Metadata