open-notebook

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains examples that embed secrets verbatim (exporting OPEN_NOTEBOOK_ENCRYPTION_KEY and posting "api_key": "sk-...") and instructs adding provider API keys via the REST API or UI, which encourages the LLM/agent to accept and place raw secret values into requests or code—an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests arbitrary public web content via the POST /api/sources "url" flow (shown in SKILL.md, references/api_reference.md, references/examples.md and scripts/source_ingestion.py with example URLs like arxiv/nature/wikipedia) and then includes those sources in chat context (/api/chat/context and /api/chat/execute with include_sources:true), so untrusted third-party content is fetched and used to influence agent outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The Quick Start includes a runtime step that downloads and runs a remote docker-compose file (https://raw.githubusercontent.com/lfnovo/open-notebook/main/docker-compose.yml) which leads to pulling/running container images (e.g., ghcr.io/lfnovo/open-notebook:latest) — i.e., fetching external content that will execute code as a required dependency.