notte-functions-forge
Pass
Audited by Gen Agent Trust Hub on Jul 1, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) during the 'Explore' and 'Generate' phases.
- Ingestion points: Untrusted data enters the context via
notte page scrapeandnotte sessions networkwhen observing external websites inSKILL.mdandreferences/exploration.md. - Boundary markers: The skill lacks explicit boundary markers or delimiters to isolate scraped page content from the instructions used to generate code.
- Capability inventory: The skill has the capability to write files (
Write,Edit), create cloud resources (notte functions create), and execute them (notte functions run). - Sanitization: There is no automated sanitization or filtering of the scraped content before it is used to influence the Python code generation in Phase 3.
- [REMOTE_CODE_EXECUTION]: The skill facilitates remote code execution by design (Category 4 and 10).
- It generates a Python script (
forged_function.py) based on an interactive session and external website structure. - It then deploys this script to the 'Notte Cloud' environment via
notte functions createand executes it usingnotte functions run. - While this is the intended functionality for the 'nottelabs' ecosystem, it poses a risk if the generation logic is compromised by malicious website content.
- [COMMAND_EXECUTION]: The skill makes extensive use of the
notteCLI viaBash(notte:*). - It interpolates variables like
{url}and{fields}directly into shell commands. Although the instructions use double quotes (e.g.,notte page goto "{url}"), there is a potential for command injection if the underlying agent does not properly escape these inputs before execution.
Audit Metadata