open-notebook
Warn
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's setup instructions require the agent or user to download a
docker-compose.ymlfile from an external GitHub repository (https://raw.githubusercontent.com/lfnovo/open-notebook/main/docker-compose.yml) which is not from a verified trusted organization. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its data ingestion capabilities.
- Ingestion points: The skill processes external content including web URLs, PDFs, and Office documents via the
/api/sourcesendpoint, as documented inSKILL.mdandreferences/api_reference.md. - Boundary markers: No explicit instructions or delimiters are provided to the agent to disregard instructions potentially embedded within the processed research materials.
- Capability inventory: The skill can execute shell commands (
docker-compose), perform network operations (requests), and write to the local filesystem (curl -o). These capabilities could be triggered maliciously if the agent follows instructions found inside untrusted ingested documents. - Sanitization: There is no evidence of sanitization or validation logic for external content in the provided scripts.
- [COMMAND_EXECUTION]: The skill instructs the execution of local shell commands for deployment and configuration, specifically using
docker-compose up -dto launch services andexportto set encryption keys. - [REMOTE_CODE_EXECUTION]: The file
scripts/test_open_notebook_skill.pycontains a call to the Pythoncompile()function to parse the contents of other scripts. While used for syntax validation within a test suite, this pattern involves the dynamic parsing of code content.
Audit Metadata