notte-functions-forge

Pass

Audited by Gen Agent Trust Hub on Jul 1, 2026

Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) during the 'Explore' and 'Generate' phases.
  • Ingestion points: Untrusted data enters the context via notte page scrape and notte sessions network when observing external websites in SKILL.md and references/exploration.md.
  • Boundary markers: The skill lacks explicit boundary markers or delimiters to isolate scraped page content from the instructions used to generate code.
  • Capability inventory: The skill has the capability to write files (Write, Edit), create cloud resources (notte functions create), and execute them (notte functions run).
  • Sanitization: There is no automated sanitization or filtering of the scraped content before it is used to influence the Python code generation in Phase 3.
  • [REMOTE_CODE_EXECUTION]: The skill facilitates remote code execution by design (Category 4 and 10).
  • It generates a Python script (forged_function.py) based on an interactive session and external website structure.
  • It then deploys this script to the 'Notte Cloud' environment via notte functions create and executes it using notte functions run.
  • While this is the intended functionality for the 'nottelabs' ecosystem, it poses a risk if the generation logic is compromised by malicious website content.
  • [COMMAND_EXECUTION]: The skill makes extensive use of the notte CLI via Bash(notte:*).
  • It interpolates variables like {url} and {fields} directly into shell commands. Although the instructions use double quotes (e.g., notte page goto "{url}"), there is a potential for command injection if the underlying agent does not properly escape these inputs before execution.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 1, 2026, 10:56 PM
Security Audit — agent-trust-hub — notte-functions-forge