open-notebook

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed secrets verbatim (e.g., posting {"api_key":"sk-..."} to /credentials and exporting OPEN_NOTEBOOK_ENCRYPTION_KEY in shell commands), which would require an LLM to insert actual secret values into generated requests or code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests arbitrary public URLs (SKILL.md Sources section and POST /api/sources examples) and the example scripts (scripts/source_ingestion.py adds en.wikipedia.org and SKILL.md shows arXiv/Nature URLs) then includes those sources in chat context (chat/execute with "include_sources": true), so untrusted third‑party content is fetched and directly used to build prompts and drive LLM responses.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The Quick Start explicitly instructs fetching a remote compose file via https://raw.githubusercontent.com/lfnovo/open-notebook/main/docker-compose.yml and then running docker-compose up -d, which causes execution of container images (e.g., ghcr.io/lfnovo/open-notebook:latest) pulled from remote registries—remote content that is fetched and executed as part of deployment and thus can control runtime behavior.