DeepReader
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- Prompt Injection (LOW):
- Category 8: Indirect Prompt Injection Surface
- Ingestion points: Fetches arbitrary external content via
GenericParserandYouTubeParser. - Boundary markers: Scraped content is delimited using YAML frontmatter and Markdown headers (
## Content) inStorageManager. - Capability inventory: The skill can write files to the
memory/inbox/directory, perform network requests to any URL, and interact with the NotebookLM API. - Sanitization: Implements basic whitespace normalization and YAML escaping for metadata, but the primary content body is saved without filtering for malicious instructions.
- Data Exposure & Exfiltration (LOW):
- Sensitive File Access: The NotebookLM integration accesses
~/.book_client_sessionto retrieve session credentials. While necessary for functionality, this is a sensitive credential access. - SSRF Surface: The scraper performs HTTP GET requests to user-provided URLs without domain restriction, allowing potential probing of internal network resources.
- Unverifiable Dependencies (LOW):
- The code references
notebooklm-pyfor integration, which is not listed in therequirements.txtfile.
Audit Metadata