navan-core-workflow-b
Automates Navan expense reporting and transaction synchronization with ERP systems for efficient financial management.
Install this skill
Security score
The navan-core-workflow-b skill was audited on May 23, 2026 and we found 23 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 51 | const tokenRes = await fetch(`${process.env.NAVAN_BASE_URL}/ta-auth/oauth/token`, { |
Template literal with variable interpolation in command context
| 61 | const headers = { Authorization: `Bearer ${access_token}` }; |
Template literal with variable interpolation in command context
| 71 | `${process.env.NAVAN_BASE_URL}/v1/bookings` + |
Template literal with variable interpolation in command context
| 78 | console.log(`ID: ${txn.transaction_id}`); |
Template literal with variable interpolation in command context
| 79 | console.log(` Employee: ${txn.employee_name} (${txn.employee_id})`); |
Template literal with variable interpolation in command context
| 80 | console.log(` Amount: ${txn.currency} ${txn.amount}`); |
Template literal with variable interpolation in command context
| 81 | console.log(` Category: ${txn.category}`); |
Template literal with variable interpolation in command context
| 82 | console.log(` Status: ${txn.approval_status}`); |
Template literal with variable interpolation in command context
| 83 | console.log(` Merchant: ${txn.merchant_name}`); |
Template literal with variable interpolation in command context
| 114 | console.log(`${txn.transaction_id}: $${txn.amount} -> route to ${approver}`); |
Template literal with variable interpolation in command context
| 139 | console.log(`${txn.transaction_id}: ${txn.category} -> GL ${gl}`); |
Template literal with variable interpolation in command context
| 155 | memo: `Navan: ${txn.merchant_name} - ${txn.employee_name}`, |
Template literal with variable interpolation in command context
| 167 | console.log(`Prepared ${journalEntries.length} journal entries for NetSuite sync`); |
Template literal with variable interpolation in command context
| 194 | ```python |
Access to .env file
| 51 | const tokenRes = await fetch(`${process.env.NAVAN_BASE_URL}/ta-auth/oauth/token`, { |
Access to .env file
| 56 | client_id: process.env.NAVAN_CLIENT_ID!, |
Access to .env file
| 57 | client_secret: process.env.NAVAN_CLIENT_SECRET!, |
Access to .env file
| 71 | `${process.env.NAVAN_BASE_URL}/v1/bookings` + |
External URL reference
| 42 | 1. Navigate to [Navan Help Center](https://app.navan.com/app/helpcenter) |
External URL reference
| 199 | base_url = os.environ.get('NAVAN_BASE_URL', 'https://api.navan.com') |
External URL reference
| 224 | - [Navan Help Center](https://app.navan.com/app/helpcenter) — Support and documentation |
External URL reference
| 225 | - [Navan Integrations](https://navan.com/integrations) — NetSuite, Sage Intacct, Xero, QuickBooks connectors |
External URL reference
| 226 | - [Booking Data Integration](https://app.navan.com/app/helpcenter/articles/travel/admin/other-integrations/booking-data-integration) — Data export configuration |