Ecosystem Update - 2026-07-09
Highlights
- Today's strongest signal is not a config tweak: it is evaluation and safety pressure around MCP tool-risk metadata, trajectory diagnostics, and biased verifier failure modes
- No safe Quick Wins were auto-implemented; every plausible harness change either requires a new script/skill, edits policy docs, assumes unsupported server capabilities, or repeats previously rejected wholesale imports
Quick Wins (implemented today)
-
None passed the automatic-change gate n/aNo harness files changed
New Tools, Skills & Patterns
-
MCP taint-risk profile audit mcphttps://arxiv.org/abs/2607.07461 - Adapt the SPELLSMITH idea into a local read-only audit for configured MCP servers: inspect tool descriptions/parameter semantics, flag high-risk taint paths, and produce hardening notes before enabling new remote tools
-
STRACE-style trajectory root-cause adapter agent-pattern
-
Agent bug-report quality intake fixtures skillhttps://arxiv.org/abs/2607.07593 - Extend
fix-issueorbug-minerwith a preflight rubric for executable reproduction, localization cues, expected behavior, and source availability -
AgentLens trajectory review intakehttps://arxiv.org/abs/2607.06624 - Evaluate whether the existing completion evidence gate should add readable trajectory-review artifacts for nightly/runtime regressions instead of only pass/fail closure evidence
-
Blind Curator false-pass audit for skills skillhttps://arxiv.org/abs/2607.07436 - Add defect-injection checks to skill-retirement or skills-janitor workflows so false-pass verifier bias cannot silently keep weak skills alive
-
AgentEval workflow-boundary testing spikehttps://arxiv.org/abs/2607.06873 - Investigate graph-mined boundary tests for governed assistants and external-action workflows, especially confirmation, identity, and destructive-action gates
-
Compass parity audit agent-patternhttps://github.com/dshakes/compass - Compare cost-tiered agents, workflow commands, guardrail hooks, MCP parity, and marketplace packaging against current Codex-owned primitives; import only bounded ideas after audit
-
agnix linting audit skillhttps://github.com/agent-sh/agnix - Test whether its AGENTS/SKILL/hooks/MCP lint checks catch issues not already covered by
codex-skill-audit, config posture checks, and completion gates -
Hallucinated-resource install defense securityhttps://arxiv.org/abs/2607.07433 - Add an explicit resolver/installer policy check for skills/plugins/repos so Codex never installs a hallucinated or lookalike package name without a pinned source and audit
Research Worth Reading
-
From Noisy Traces to Root Causes: Structural Trajectory Analysis and Causal Extraction for Agent Optimization- Relevant to replanning evidence: reduce failed trace noise before changing prompts, policy, or runtime behavior
-
Mitigating Taint-Style Vulnerabilities in MCP Servers via Security-Aware Tool Descriptions- Directly relevant because the setup has many MCP servers, including remote authenticated endpoints
-
The Blind Curator: How a Biased Judge Silently Disables Skill Retirement in Self-Evolving Agents- Relevant to skill lifecycle and verifier trust; aggregate pass rates can hide false-pass bias
-
Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting- Relevant to skill/plugin/repo installation policy and hallucinated-resource defense
-
What Makes a Good Bug Report for an AI Agent?
-
AgentLens: Production-Assessed Trajectory Reviews for Coding Agent Evaluation- Maps cleanly to existing completion evidence and Wren validation artifacts
-
Mining Workflow Graphs for Black-Box Boundary Testing of Conversational LLM Agents- Useful for testing confirmation and authorization boundaries in governed workflows
Considered, Not Adopting
Items reviewed and explicitly declined this cycle, with the reason. Curation discipline matters more than coverage.
-
Wholesale public skill catalog imports — - Rejected as overbroad and high-risk; use
codex-skill-audit --strictand selective intake instead -
Boris auto-mode/worktree/nested-agent pack wholesale — - Rejected as conflicting with local AgentOps gates,
max_depth = 1, explicit loop specs, and human-gated autonomous work - Automatic self-updating skill behavior — - Rejected because a skill that downloads updates during invocation bypasses the outside-skill audit boundary
- Auto-format hooks from community tips — - Rejected as unsafe for automatic wiring; no existing formatter script was identified as the target and hooks that mutate code need per-repo consent
- Enable parallel MCP calls on every server — - Rejected because support is per-server and cannot be assumed for authenticated remote gateways
- AGENTS.md or AGENTS.override policy edits — - Rejected as Quick Wins by the ecosystem-update hard limit; policy changes require explicit direction
- Immediate MCP description hardening without a scanner — - Rejected as a Quick Win because it requires a new audit script or server-specific tool metadata review
- Adopt isolated VM/worktree runtime by default — - Rejected as overengineering for the current harness; use as a scoped spike only when a concrete isolation problem appears