jupyter-notebook
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill establishes a high-risk surface for Indirect Prompt Injection (Category 8). It is designed to ingest untrusted user instructions and data to generate executable code and markdown in Jupyter notebooks.
- Ingestion points: User-provided titles and content descriptions processed by SKILL.md and scripts/new_notebook.py.
- Boundary markers: Absent. There are no delimiters or system instructions to prevent the agent from executing malicious code that might be embedded in user-provided data.
- Capability inventory: The skill enables writing to the filesystem via the helper script and encourages arbitrary code execution using jupyterlab/ipykernel.
- Sanitization: Absent. User input is interpolated directly into notebook cells.
- COMMAND_EXECUTION (MEDIUM): The helper script
scripts/new_notebook.pylacks path validation for its output destination. - Evidence: The
--outparameter allows specifying an arbitrary path which is resolved and written to usingout_path.open('w'). This could allow an attacker to overwrite sensitive files if the agent is directed to a restricted directory. - EXTERNAL_DOWNLOADS (MEDIUM): The skill instructions suggest installing external packages without pinning specific versions or using trusted source verification.
- Evidence: SKILL.md recommends
uv pip install jupyterlab ipykernel, which pulls from public registries and introduces unverifiable dependencies.
Recommendations
- AI detected serious security threats
Audit Metadata