observable-notebooks
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (HIGH): The skill explicitly supports 'data loaders' in languages such as Python, R, and Node.js, which allow for the execution of arbitrary system commands and code during the build or preview process. Additionally, the use of
npm:imports allows the runtime to download and execute code directly from the NPM registry. - External Downloads (HIGH): The
notebooks downloadcommand allows users to fetch notebook files from arbitrary URLs. Since these files contain executable code cells, this facilitates the introduction of malicious logic into the local environment. - Indirect Prompt Injection (HIGH): This skill provides a significant attack surface for indirect injection.
- Ingestion points: Data enters the system via
FileAttachment(),fetch(), and thenotebooks downloadcommand. - Boundary markers: None are specified; instructions within external data or downloaded notebooks can be interpreted as code.
- Capability inventory: The skill can execute code in multiple languages, perform network requests, and access the local file system.
- Sanitization: No sanitization or validation of external content is mentioned before it is processed or executed.
- Command Execution (MEDIUM): The CLI tools provided (
notebooks previewandnotebooks build) automate the execution of code embedded within the notebook HTML files, potentially leading to unauthorized operations if the files are compromised.
Recommendations
- AI detected serious security threats
Audit Metadata