notebook-ml-architect
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill has a significant attack surface as it is designed to ingest and process external Jupyter notebooks.
- Ingestion points: Reads
.ipynbfiles using the Read tool and various Python scripts (e.g.,SKILL.md). - Boundary markers: The instructions lack any boundary markers or warnings to ignore embedded instructions within the processed notebooks.
- Capability inventory: The skill provides capabilities to execute notebooks (
scripts/run_notebook.py), convert them to scripts (scripts/convert_to_script.py), and perform deep analysis (scripts/analyze_notebook.py). - Sanitization: There is no evidence of sanitization or safety checks to ensure the notebook content is benign before execution or parsing.
- Command Execution (HIGH): The skill instructs the agent to run multiple local shell commands using Python scripts that take untrusted notebook files as arguments. This could lead to arbitrary command execution if the scripts themselves have vulnerabilities or if the notebook format is manipulated to exploit the parser.
- Remote Code Execution (MEDIUM): While the scripts are local, the
run_notebook.pyutility serves as a direct bridge for executing code from an external source (the notebook author) on the local machine.
Recommendations
- AI detected serious security threats
Audit Metadata