Skills
skills/azure12355/weilan-skills/notebooklm/Gen Agent Trust Hub

notebooklm

Pass

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [INDIRECT_PROMPT_INJECTION]: The skill processes responses from Google NotebookLM (Gemini) and returns them to the agent.
  • Ingestion points: scripts/ask_question.py and scripts/browser_session.py extract text from the NotebookLM UI using CSS selectors (.to-user-container .message-text-content).
  • Boundary markers: Absent. The skill does not use delimiters or instructions to prevent the agent from obeying commands embedded in the retrieved text.
  • Capability inventory: The skill has the ability to execute shell commands via subprocess.run (found in scripts/run.py, scripts/__init__.py, and scripts/setup_environment.py).
  • Sanitization: Absent. Data retrieved from the browser is returned to the agent without validation or filtering.
  • [EXTERNAL_DOWNLOADS]: The skill automates the setup of its own environment and dependencies.
  • Evidence: scripts/setup_environment.py installs Python packages from requirements.txt and downloads Google Chrome using patchright install chrome.
  • Context: These operations are restricted to the skill's isolated .venv and are part of the documented setup process for the browser automation library used.
  • [COMMAND_EXECUTION]: The skill uses a wrapper script to manage execution within a virtual environment.
  • Evidence: scripts/run.py uses subprocess.run to execute other Python scripts in the library (ask_question.py, auth_manager.py, etc.) using the .venv interpreter.
  • Context: This is used for internal orchestration and environment isolation rather than executing arbitrary user-provided commands.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 9, 2026, 11:41 PM