nb
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted data from notes and bookmarks and possesses high-privilege write/execute capabilities.\n
- Ingestion points: Commands like
nb show <id>,nb search \"query\", andnb listretrieve content from local markdown files in~/.nb/which may contain instructions from external sources.\n - Boundary markers: Absent. No delimiters are used to separate note content from instructions.\n
- Capability inventory: The skill can create, edit, move, and delete files (
nb add,nb edit,nb delete) and perform network operations via Git (nb sync).\n - Sanitization: Absent. No sanitization of ingested content is performed.\n- External Downloads (MEDIUM): The skill requires the
nbbinary as a prerequisite. The homepage points tohttps://github.com/xwmx/nb, which is not an officially trusted source. While the tool is a legitimate open-source project, the agent's reliance on a third-party binary not maintained by a trusted organization presents a supply chain risk.\n- Command Execution (MEDIUM): The skill provides anb gitinterface allowing for the execution of arbitrary Git commands. This could be exploited via prompt injection to modify repository configurations, view sensitive logs, or execute unauthorized Git operations.
Recommendations
- AI detected serious security threats
Audit Metadata