jupyter-live-kernel

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill intentionally runs a headless Jupyter server with token/password disabled and exposes REST/kernel controls for arbitrary Python execution (via created notebooks/sessions), which is effectively a deliberate backdoor-like configuration enabling remote code execution if the server is reachable; no direct evidence of data-exfiltration, credential harvesting, obfuscated payloads, or external C2 is present in the content.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md Setup instructs cloning and using the public GitHub repo https://github.com/hamelsmu/hamelnb.git (the hamelnb script), which the skill runs as its core script — thereby ingesting and executing untrusted third‑party code that can materially change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup explicitly instructs cloning and then running code from the external repository (git clone https://github.com/hamelsmu/hamelnb.git), which provides the SCRIPT that the skill executes at runtime, so remote code is fetched and executed and is a required dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly instructs launching a headless Jupyter server with token/password disabled and performing filesystem and process changes (cloning into ~/.agent-skills, creating notebooks, starting kernels), which bypasses local authentication and alters host state, posing a security risk.