nav-multi
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes local orchestration scripts including
navigator-multi-claude.shandnavigator-multi-claude-poc.sh. These scripts are executed with arguments derived from user input and task files to manage multi-phase agent workflows. - [PROMPT_INJECTION]: The skill identifies an indirect prompt injection surface due to the handling of external data.
- Ingestion points: Task descriptions are retrieved from the first line of local files matching the pattern
.agent/tasks/${TASK_ID}*.mdvia theheadandsedcommands. - Boundary markers: No specific delimiters or boundary instructions are implemented to isolate the ingested task content from the script logic.
- Capability inventory: The ingested data is used as a positional argument for shell script execution and is embedded into a JSON state file (
.agent/tasks/${SESSION_ID}-state.json) via a shell heredoc. - Sanitization: There is no evidence of sanitization or escaping for the
TASK_DESCvariable. If the source file contains special shell characters or JSON-breaking characters (like double quotes), it could result in malformed state files or unexpected behavior in the downstream orchestration scripts.
Audit Metadata