The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (MEDIUM): The run.py wrapper is designed to automatically install Python dependencies and download the Chromium browser binary via patchright at runtime. This introduces a supply chain risk as the integrity of these external downloads is not verified within the skill.
[REMOTE_CODE_EXECUTION] (HIGH): The skill facilitates runtime execution of downloaded code and binaries. The run.py script acts as a local execution engine that can be triggered to run various automation scripts with full system access allowed to the agent.
[COMMAND_EXECUTION] (MEDIUM): The skill frequently constructs shell commands using python scripts/run.py. There is a risk of command injection if data retrieved from external NotebookLM queries is interpolated into the --question argument for follow-up actions without rigorous sanitization.
[PROMPT_INJECTION] (HIGH): The 'Follow-Up Mechanism' creates a feedback loop where the agent is instructed to analyze external notebook content and formulate new commands. This is a primary vector for Indirect Prompt Injection (Category 8).
Ingestion points: ask_question.py retrieves untrusted content from Google NotebookLM.
Boundary markers: None are specified; the agent is simply told to 'Analyze' and 'Identify Gaps'.
Capability inventory: The agent has access to run.py (script execution), file system access to ~/.claude/, and full browser automation via patchright.
Sanitization: No sanitization of the notebook content is mentioned before it is used to drive the 'Follow-up' commands.
[CREDENTIALS_UNSAFE] (MEDIUM): While not hardcoded, the skill manages highly sensitive data including Google session cookies and browser state in ~/.claude/skills/notebooklm/data/. A successful prompt injection could be used to attempt exfiltration of these persistent authentication tokens.

notebooklm