open-notebook

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed secrets verbatim (e.g., posting {"api_key":"sk-..."} to /credentials and exporting OPEN_NOTEBOOK_ENCRYPTION_KEY in shell commands), which would require an LLM to insert actual secret values into generated requests or code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests open/public URLs and web pages via the /api/sources endpoint (see SKILL.md "Sources" and references/examples.md and scripts/source_ingestion.py which add URL sources like Wikipedia/arXiv) and then builds chat context from those sources via /api/chat/context and /api/chat/execute so untrusted third‑party content is read and fed into LLM prompts, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start/installation fetches and runs remote container artifacts—e.g., curl https://raw.githubusercontent.com/lfnovo/open-notebook/main/docker-compose.yml which references and pulls images like ghcr.io/lfnovo/open-notebook:latest and surrealdb/surrealdb:latest—so external URLs are used at runtime to retrieve and execute remote code that the skill depends on.