open-notebook

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed API keys/secrets inline (e.g., POSTing {"api_key":"sk-..."} and export OPEN_NOTEBOOK_ENCRYPTION_KEY="your-secret-key-here"), which requires the agent to accept and output secret values verbatim and therefore poses exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests arbitrary public URLs via the /api/sources endpoint (shown in SKILL.md and references/api_reference.md) and example scripts (scripts/source_ingestion.py and references/examples.md add URLs like Wikipedia and arXiv), then builds chat context and runs LLM-driven transformations/chat (POST /api/chat/execute, /transformations and podcast generation) that use that content as prompt/context, so untrusted third-party web content can materially influence agent behavior and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The SKILL instructs users to run a curl that downloads and then runs a Docker Compose file (curl -o docker-compose.yml https://raw.githubusercontent.com/lfnovo/open-notebook/main/docker-compose.yml followed by docker-compose up -d), which fetches remote container images (e.g., ghcr.io/lfnovo/open-notebook:latest) and thus executes remote code required for the service to run.