observable-notebook-kit
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill executes 'Data Loaders' using Node.js, Python, and R interpreters at build time. Any notebook containing these script types will trigger code execution on the host system.
- [COMMAND_EXECUTION] (HIGH): Provides CLI commands to build and preview notebooks, which effectively runs the embedded scripts and interpreters.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The 'notebooks download' command retrieves external HTML notebook files from observablehq.com. If used on untrusted URLs, this can ingest malicious code into the local environment.
- [PROMPT_INJECTION] (HIGH): High susceptibility to Indirect Prompt Injection (Category 8) because it processes external content (notebooks) that may contain instructions targeting the agent, and has high-privilege capabilities (execution/build).
- Ingestion points: 'notebooks download' command in SKILL.md.
- Boundary markers: Absent for notebook script content.
- Capability inventory: Full execution of JS, Node.js, Python, R, and shell-based CLI commands.
- Sanitization: No validation or sanitization of downloaded notebook content is mentioned.
Recommendations
- AI detected serious security threats
Audit Metadata