open-notebook

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs inserting secrets directly (e.g., exporting OPEN_NOTEBOOK_ENCRYPTION_KEY and POSTing {"api_key":"sk-..."}) which requires the LLM to accept and emit API keys/encryption keys verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). At runtime, the skill can ingest public web pages via the /api/sources endpoint using a user-supplied url, and the extracted full text from that outsider page is then used to build chat/search context that is fed into the LLM (indirect prompt injection risk).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start explicitly instructs fetching and running the remote docker-compose file (https://raw.githubusercontent.com/lfnovo/open-notebook/main/docker-compose.yml) via curl followed by docker-compose up, which downloads and executes remote container images (i.e., remote code) and is therefore a runtime external dependency that can control execution.