notebooklm
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of
notebooklm-pyandplaywright. Whileplaywrightis a well-known service from a trusted organization,notebooklm-pyis an external dependency from a source not included in the trusted vendors list.\n- [CREDENTIALS_UNSAFE]: The skill manages authentication by storing Google/NotebookLM session cookies in~/.notebooklm/storage_state.json. These are sensitive credentials that allow access to the user's NotebookLM account.\n- [COMMAND_EXECUTION]: The scriptscripts/import_sources.pyusessubprocess.runto execute thenotebooklmCLI tool, utilizingsource_idvalues parsed from external JSON files as command arguments.\n- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it imports external summaries and Q&A answers from NotebookLM into the vault.\n - Ingestion points: Data is ingested through
sources.jsonandqa-output.jsonin the scriptsimport_sources.pyandresolve_citations.py.\n - Boundary markers: No explicit delimiters or instructions are used to prevent the agent from obeying instructions embedded in the imported text.\n
- Capability inventory: The skill can execute subprocesses via the
notebooklmCLI and perform file write operations across the vault.\n - Sanitization: Filenames are sanitized using regex, but the imported text content is written to Markdown files without filtering for potential malicious instructions.
Audit Metadata