Skills
skills/zpankz/mcp-skillset/think/Gen Agent Trust Hub

think

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • REMOTE_CODE_EXECUTION (MEDIUM): The notebook tool's run_cell operation in NOTEBOOK.md allows for the execution of arbitrary JavaScript and TypeScript code. While this is the primary purpose of the tool, it represents a high-risk capability that could be exploited to run malicious commands if the agent is manipulated.
  • EXTERNAL_DOWNLOADS (MEDIUM): The notebook tool includes an install_deps operation (documented in NOTEBOOK.md) that permits the installation of third-party packages from npm. This allows for the introduction of unverifiable dependencies that may contain malicious scripts executed during the installation or runtime phases.
  • DATA_EXFILTRATION (MEDIUM): The notebook tool provides load and export operations (NOTEBOOK.md) that interact with the local filesystem. These can be used to read sensitive system files (e.g., config, credentials) or write files to persistent locations (e.g., startup scripts), creating exposure and persistence risks.
  • PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). An attacker could provide a malicious .src.md notebook file that, when loaded, instructs the agent to execute harmful code or exfiltrate data.
  • Ingestion points: notebook({ operation: "load", args: { path: "..." } }) and add_cell (documented in NOTEBOOK.md).
  • Boundary markers: Absent; there are no instructions to ignore embedded commands in loaded content.
  • Capability inventory: run_cell, install_deps, and export operations provide significant system access (NOTEBOOK.md).
  • Sanitization: Absent; the skill does not specify any validation or sanitization for content loaded into the notebook.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:28 PM