jupyter-notebook-analysis
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The 'Data Update Notebook Pattern' in 'SKILL.md' uses 'subprocess.run' with 'shell=True' to execute AWS CLI commands. The command string is built using f-strings containing variables like 's3_path' and 'tolid', which are derived directly from external data sources (Google Sheets). This creates a high risk of command injection if the input data contains malicious shell characters.
- [EXTERNAL_DOWNLOADS]: The skill implements logic to fetch data from external remote sources, including Google Sheets (via the 'SHEET_URL' placeholder) and AWS S3 buckets using the 'aws s3 cp' command. While these are used for data enrichment, they represent ingestion points for untrusted data.
- [PROMPT_INJECTION]: The skill presents an Indirect Prompt Injection surface (Category 8).
- Ingestion points: Data is ingested from Google Sheets and local TSV files (SKILL.md).
- Boundary markers: None identified; there are no delimiters or instructions to ignore embedded commands in the processed data.
- Capability inventory: The skill uses 'subprocess.run' for shell commands and file system operations like 'to_csv' and 'Image.save' (SKILL.md).
- Sanitization: There is no evidence of sanitization or validation of the data fields before they are used to construct file paths or shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata