Back to skill

Security audit

OpenNotebook

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenNotebook client, but it can upload, delete, and administer data on the configured OpenNotebook server.

Install only for a trusted OpenNotebook server. Verify the base URL, protect the API key, avoid running integration tests with real secrets, and require explicit approval before uploading private files, deleting resources, rebuilding embeddings, syncing models, changing settings, or using credential-management methods.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill exposes significant capabilities including environment access, filesystem access, shell execution, and network use, but does not declare permissions or warn users about that scope. This weakens transparency and reviewability, making it easier for a user or platform to invoke a broadly capable skill without understanding the trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose presents the skill as a notebook client, but the behavior appears to include a much broader administrative and model-management surface, including credentials, settings, jobs, embeddings, and podcast-related endpoints. That mismatch can mislead operators during installation or approval and may grant unintended access to sensitive or destructive functionality.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The API reference exposes credential-management capabilities that are materially more sensitive than the skill description suggests. In an agent setting, undisclosed access to create, list, and test provider credentials can expand the tool’s effective authority and lead to secret exposure or unauthorized external-account use if users or higher-level policies assume the skill is limited to notebook and search operations.

Description-Behavior Mismatch

Low
Confidence
76% confidence
Finding
The documented model/provider management endpoints broaden the skill’s authority beyond the stated notebook-centric scope. In an agent environment, the ability to create models, change defaults, or sync providers can alter downstream behavior, route data to unintended providers, or incur cost without users realizing the tool has configuration powers.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The client exposes full credential-management operations, including create, update, delete, migration, testing, and model registration, which exceed the skill's declared notebook/source/note/search/transformation scope. In an agent setting, this materially enlarges the authority surface and could let prompts or downstream logic manipulate sensitive provider credentials or trigger credential discovery/migration actions not expected by users.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The client includes podcast generation and episode/speaker profile management capabilities that are not disclosed in the stated skill description. Hidden or undeclared capabilities are dangerous for agent integrations because they can be invoked unexpectedly, causing unintended content generation, data processing, or modification of remote resources outside the user's understood scope.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation advertises delete operations for notebooks, sources, and notes without highlighting that they may be irreversible or have cascading effects such as deleting associated sources. In agent-driven usage, omitted warnings increase the chance of accidental destructive actions from ambiguous prompts or operator misunderstanding.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documentation includes upload, search, chat, and model operations that can transmit user files, notes, prompts, and other content to a remote service, but it does not clearly disclose that data leaves the local environment. This creates a privacy and compliance risk, especially when users may assume a local notebook workflow.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Credential-management operations are highly sensitive, and documenting them without privacy or secret-handling guidance increases the chance that an agent or user will mishandle API keys. In this skill context, these endpoints can expose, create, or test provider credentials, making accidental disclosure or misuse materially more dangerous than ordinary CRUD documentation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Delete operations for notebooks and sources are executed immediately with no confirmation, dry-run, or safety interlock. In an agent/CLI context, this increases the risk of accidental or automated destructive actions that can permanently remove user data, especially because notebook deletion can also cascade to exclusive sources.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The API key is written to a local plaintext config file without any permission hardening or user warning, which can expose credentials to other local users, backups, or endpoint compromise. In an agent skill context, silent credential persistence is more dangerous because users may not realize secrets are being stored beyond the current session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The test harness passes the API key as a command-line argument to child CLI processes. On many systems, process arguments are visible to other local users via tools like ps, shell history, CI logs, or crash diagnostics, so the secret can be exposed even though no shell injection occurs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.