academic-jupyter
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (LOW): The skill demonstrates a surface for indirect prompt injection (Category 8) by reading notebook files from the workspace. Evidence Chain: 1. Ingestion points: Reading notebooks via the
/api/contents/endpoint inSKILL.md. 2. Boundary markers: Absent; the skill does not instruct the agent to ignore instructions embedded within the notebook data. 3. Capability inventory: The skill can execute arbitrary Python code and manage system kernels. 4. Sanitization: None provided for the content of the notebooks being read. - Command Execution (LOW): The skill uses dynamic execution (Category 10) by writing Python code to
/tmp/cell.pyand executing it viapython3. This is categorized as LOW because it is the stated primary purpose of the skill to provide interactive computing capabilities.
Audit Metadata