nav-compact
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. Ingestion points: Step 2 instructs the agent to summarize the last 15 messages of conversation history. Boundary markers: None; there are no delimiters or instructions to ignore embedded commands in the processed text. Capability inventory: The skill utilizes 'Bash' and 'Write' permissions to persist this data. Sanitization: None mentioned. Malicious instructions within the conversation history could be executed by the agent or carried into the saved context marker.
- [COMMAND_EXECUTION] (MEDIUM): The skill executes shell commands using dynamic variables derived from the session context. Evidence: Step 3 and Step 5 use 'echo' and 'ls' with the '{marker-filename}' variable. Risk: If the generated filename incorporates unsanitized user-influenced data (e.g., task names), it could lead to command injection (e.g., via backticks or semicolons) or path traversal.
Recommendations
- AI detected serious security threats
Audit Metadata