open-notebook
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to download a
docker-compose.ymlconfiguration file from the project's public GitHub repository (https://raw.githubusercontent.com/lfnovo/open-notebook/main/docker-compose.yml) for deployment. This is a standard and transparent installation method for the tool. - [PROMPT_INJECTION]: The skill implements a research knowledge base that processes untrusted external data, creating a surface for Indirect Prompt Injection.
- Ingestion points: Untrusted data enters the system through the
/api/sourcesendpoint, supporting web URLs, PDF uploads, and raw text (referenced inSKILL.mdandreferences/api_reference.md). - Boundary markers: The documentation and example prompts do not specify the use of delimiters or 'ignore embedded instructions' warnings for processed context.
- Capability inventory: The system has capabilities to write to a database (notes, credentials), generate audio files (podcasts), and perform network operations via AI providers.
- Sanitization: There is no evidence of content sanitization or instruction filtering in the provided integration scripts.
- [COMMAND_EXECUTION]: The test suite (
scripts/test_open_notebook_skill.py) utilizes the Pythoncompile()function to verify that example scripts are syntactically correct. This is a controlled use of dynamic execution for testing purposes and does not execute untrusted input from the network.
Audit Metadata