navvi-browse
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it navigates to and processes content from arbitrary external websites.
- Ingestion points: Web content is ingested via
navvi_openandnavvi_browsetools (SKILL.md). - Boundary markers: No specific delimiters or instructions to ignore embedded commands are present in the browsing workflow.
- Capability inventory: The agent can click, fill forms, press keys, and manage credentials (
navvi_click,navvi_fill,navvi_creds), providing a significant attack surface if malicious instructions are encountered on a page. - Sanitization: No sanitization or validation of page content is described before the agent 'analyzes' and 'identifies' elements to interact with.
- [DATA_EXFILTRATION]: The skill implements a 'milestone' system that records detailed activity logs, potentially exposing sensitive information.
- Evidence: The
navvi_milestonetool is used to record the 'FULL text' of posts, comments, and profile changes, which are then stored as achievements. This could inadvertently capture private data during browsing sessions. - [CREDENTIALS_UNSAFE]: The skill requires a
NAVVI_GPG_PASSPHRASEand provides instructions that may lead to weak security configurations. - Evidence: SKILL.md suggests that users set the passphrase to 'any-random-string' if certain features are disabled, which encourages poor security practices regarding the protection of the credential vault.
Audit Metadata