open-notebook
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill is authored by a trusted vendor and all behaviors align with the documented purpose of providing an interface to a self-hosted research tool.
- [EXTERNAL_DOWNLOADS]: The skill documentation includes instructions to download a
docker-compose.ymlconfiguration file from the project's official GitHub repository to facilitate installation. - [COMMAND_EXECUTION]: Provides standard shell commands for Docker service orchestration, environment variable configuration, and persistent volume management.
- [PROMPT_INJECTION]: The skill facilitates the ingestion of untrusted external data (such as PDFs and web URLs) via the
/api/sourcesendpoint. This content is subsequently used as context for AI-powered operations within the/api/chatand/api/transformationsmodules. This architectural pattern represents an indirect prompt injection surface. - Ingestion points: Untrusted data enters the system through the
/api/sourcesendpoint (documented in SKILL.md and api_reference.md). - Boundary markers: The documentation does not specify the use of delimiters or explicit instructions to ignore embedded commands within the processed sources.
- Capability inventory: The skill interacts with local API endpoints that trigger LLM-driven chat responses and content transformations.
- Sanitization: No evidence of automated sanitization or filtering of external content is present in the provided skill scripts or API descriptions.
Audit Metadata