Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `navop skill install` or invokes the CLI/MCP bridge.
Impact
Can add or forcibly replace the package-owned Navop skill; runtime capabilities depend on tools and approvals exposed by the local Navop host.
Mechanism
Explicit first-party agent-skill installation and loopback MCP proxying.
Rationale
No malicious install-time behavior, exfiltration, remote endpoint, or stealth persistence was found. Per policy, explicit agent-config mutation and agent-capability setup warrant a warning despite the package-aligned implementation.
Evidence
package.jsondist/navop.jsdist/navop-mcp.jsdist/chunk-J6GCDUT2.jsdist/chunk-KZ3SBMYU.jsskills/navop/SKILL.mdskills/navop~/.codex/skills/navop~/.agents/skills/navop