nav-task
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- DATA_EXFILTRATION (MEDIUM): The
functions/verify_extractor.pyscript opens and reads files from paths provided directly as command-line arguments. Because there is no validation to ensure the path resides within a specific directory, an attacker could potentially influence the agent to read sensitive files like SSH keys or environment variables.- COMMAND_EXECUTION (LOW): Thefunctions/verify_extractor.pyscript is designed to parse and output shell commands found within markdown code blocks. This behavior constitutes an Indirect Prompt Injection surface. If an attacker can modify a task markdown file, they can insert malicious commands that the agent might subsequently execute. - Ingestion points: Reads task markdown files (
functions/verify_extractor.py). - Boundary markers: Commands are extracted from sections delimited by
## Verifyand markdown code blocks. - Capability inventory: The script itself does not execute commands but serves them to the agent's shell for execution.
- Sanitization: None; the script extracts raw text from code blocks, excluding only comments.- PROMPT_INJECTION (LOW):
functions/index_updater.pyandfunctions/task_formatter.pyinterpolate user-provided descriptions and titles into markdown templates. While intended for documentation, these can be used to inject instructions that might influence the agent when it later reads the generated README or task files.
Audit Metadata