nav-marker
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): Category 8 (Indirect Prompt Injection). The skill ingests untrusted conversation history to generate context 'markers'. Evidence: Ingestion point found in
functions/marker_compressor.pyandSKILL.mdStep 3. Boundary markers are entirely absent, and there is no sanitization of the captured conversation content. The skill possessesWriteandBashcapabilities, which could be leveraged if malicious instructions embedded in the conversation are persisted into a marker and later interpreted as commands during restoration. - COMMAND_EXECUTION (MEDIUM): The skill utilizes the
Bashtool for environment setup and integrity verification. Evidence:SKILL.md(Step 1, Step 4.5) uses shell commands formkdirandmd5sum. While the current commands are relatively safe, the pattern of executing shell scripts alongside untrusted data ingestion increases the overall attack surface. - METADATA_POISONING (LOW): There is an inconsistency between the skill metadata in
SKILL.md(which referencescreate_marker.py) and the actual provided scriptfunctions/marker_compressor.py.
Recommendations
- AI detected serious security threats
Audit Metadata