notebook
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Prompt Injection] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Data enters the agent's context from NOTEBOOK.ipynb via the jq 'List Cells' command.
- Boundary markers: There are no delimiters or instructions provided to the agent to treat notebook content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill utilizes the Bash and Write tools, allowing for arbitrary command execution and file modification across the system.
- Sanitization: No sanitization or filtering of the natural language content within the notebook is performed before the agent processes it.
- [Command Execution] (MEDIUM): The skill relies on the Bash tool to perform file operations and jq transformations. While the intended commands are specific, the presence of a full shell significantly increases the risk should an indirect prompt injection attack succeed.
Recommendations
- AI detected serious security threats
Audit Metadata