nav-diagnose
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection Surface (Category 8). The skill evaluates untrusted user input to trigger diagnostics and re-anchoring routines. \n
- Ingestion points: Step 1 analyzes the last 10-15 messages in the chat history (external untrusted content) for specific trigger phrases and correction counts. \n
- Boundary markers: Absent. The skill does not define delimiters or provide instructions to the agent to ignore embedded commands within the analyzed user content. \n
- Capability inventory: 'Bash' and 'Write' tools are permitted in YAML frontmatter. Step 5 specifically instructions the use of the 'Write' tool to save diagnostic data to 'nav-profile'. \n
- Sanitization: Absent. User-influenced strings and inferred states are incorporated directly into diagnostic logs and re-anchoring prompts. \n- [COMMAND_EXECUTION] (MEDIUM): Excessive privilege. The skill requests access to the 'Bash' tool despite its described purpose being purely conversational and diagnostic. This broad capability significantly escalates the potential impact of a successful indirect prompt injection attack. \n- [DATA_EXFILTRATION] (LOW): Potential data poisoning. The skill writes diagnostic 'learnings' derived from user input to 'nav-profile'. Without sanitization, this allows an attacker to persist malicious instructions in profile files that other skills may read and execute later.
Recommendations
- AI detected serious security threats
Audit Metadata