nav-graph
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill stores unsanitized user input from corrections and task documents into markdown files and a JSON knowledge graph, which could be used to inject instructions into the agent's long-term memory.\n
- Ingestion points: Reads from
.agent/.user-profile.jsonand.agent/tasks/TASK-*.md.\n - Boundary markers: Absent. The skill does not use delimiters or 'ignore instructions' warnings when storing user-derived content into
.agent/knowledge/memories/.\n - Capability inventory: Writes and updates files in the
.agent/knowledge/directory and modifiesgraph.json.\n - Sanitization: Lacks escaping or validation for user-provided strings (e.g.,
summary,details,pattern) before they are interpolated into markdown templates inmemory_writer.py.\n- Data Exposure & Exfiltration (SAFE): The skill interacts with local agent data files (.user-profile.json,graph.json) but does not perform any network operations or access sensitive system credentials.\n- Remote Code Execution (SAFE): No remote code execution patterns, external package installations, or dynamic code execution (e.g.,eval,exec) were detected.
Audit Metadata