notebook-lm
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on several shell-based commands for its initial setup and authentication, including
pip install,playwright install chromium, andnotebooklm login. - [DATA_EXFILTRATION]: The skill requires access to sensitive Google authentication cookies, which are either read from the environment variable
NOTEBOOKLM_AUTH_JSONor from a configuration file at~/.notebooklm/storage_state.json. It also provides methods to read local files via theadd_fileAPI, which could be used to access sensitive local data. - [EXTERNAL_DOWNLOADS]: The skill initiates the installation of the
notebooklm-pyPython package and the Playwright framework, the latter of which downloads and installs Chromium browser binaries to the local environment. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it processes untrusted content from the web and local files.
- Ingestion points: Untrusted data is ingested through
client.sources.add_url,client.sources.add_file, andclient.research.start(as documented inSKILL.mdandreferences/workflows.md). - Boundary markers: There are no explicit boundary markers or instructions to ignore embedded commands mentioned in the interaction patterns for the
chat.askfunctionality. - Capability inventory: The skill has the capability to perform network-based research, read local files, and generate and download various artifact types (e.g., MP3, MP4, PDF, PNG, JSON).
- Sanitization: The instructions do not describe any sanitization or validation processes for the ingested content before it is indexed and queried.
Audit Metadata