Skills
skills/commandcodeai/agent-skills/notebooklm/Gen Agent Trust Hub

notebooklm

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill implements an automated environment manager that executes system commands to download and install external code.
  • Evidence: scripts/setup_environment.py and scripts/run.py use subprocess.run to call pip install -r requirements.txt and patchright install chrome. This triggers remote downloads and execution of unverified third-party binaries at runtime.
  • [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection as it ingests untrusted data from an external website and possesses sensitive execution capabilities.
  • Ingestion points: scripts/ask_question.py (line 144) and scripts/browser_session.py (line 172) extract text content from the NotebookLM web interface using .inner_text().
  • Boundary markers: Absent. There are no delimiters or instructions provided to the agent to treat the scraped content as untrusted data.
  • Capability inventory: The skill can execute local scripts via scripts/run.py (which uses subprocess.run at line 89) and perform file system deletions via scripts/cleanup_manager.py (lines 142-146).
  • Sanitization: Absent. Content is passed directly from the browser to the agent's context.
  • Risk Escalation: The FOLLOW_UP_REMINDER in scripts/ask_question.py (lines 26-32) explicitly instructs the agent to analyze the scraped content and perform follow-up actions, increasing the likelihood of an attacker successfully steering the agent via malicious notebook content.
  • [Dynamic Execution] (MEDIUM): The skill uses a wrapper script to dynamically construct and execute commands.
  • Evidence: scripts/run.py (line 89) uses subprocess.run to execute scripts within the scripts/ directory based on arguments. While restricted to the subdirectory, this pattern facilitates the execution of any logic contained within the skill's scripts using the virtual environment's Python interpreter.
  • [Credential Exposure] (MEDIUM): The skill manages sensitive session data locally.
  • Evidence: scripts/auth_manager.py (implied by documentation) and AUTHENTICATION.md describe a hybrid auth approach that saves session cookies to ~/.claude/skills/notebooklm/data/browser_state/state.json. While protected by .gitignore, these files contain active session tokens for Google accounts which are accessed by multiple scripts in the skill.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 11:56 PM