Skills
skills/crystal9114/notebooklm-skill/notebooklm/Gen Agent Trust Hub

notebooklm

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • PROMPT_INJECTION (LOW): The skill utilizes a deliberate multi-step chain injection technique (Category 8b). In scripts/ask_question.py, a hardcoded FOLLOW_UP_REMINDER is appended to the answer returned from NotebookLM. This reminder contains explicit instructions ('EXTREMELY IMPORTANT: Is that ALL you need to know?... ask me another comprehensive question') designed to control the AI agent's logic flow and force iterative querying. Additionally, the 'Smart Add' workflow in SKILL.md creates a tool-output-poisoning surface where the agent is instructed to use content discovered from a notebook to populate library metadata.
  • EXTERNAL_DOWNLOADS (LOW): The skill implements an automated setup routine in scripts/setup_environment.py that executes pip install for dependencies and patchright install chrome to download the browser. While these actions are necessary for the skill's primary function of browser automation, the downloads originate from untrusted external sources (Category 4).
  • DATA_EXFILTRATION (LOW): The skill manages highly sensitive Google session cookies, storing them in data/browser_state/state.json. While this is required for the 'hybrid authentication' design to bypass Playwright persistence bugs, the storage of raw session cookies in the skill's data directory creates a localized exposure surface for sensitive credentials (Category 2).
  • COMMAND_EXECUTION (SAFE): The scripts/run.py wrapper uses subprocess.run to execute Python scripts. It includes a security check to ensure the target script exists within the scripts/ directory before execution, effectively mitigating arbitrary command injection via the wrapper.
  • INDIRECT PROMPT INJECTION EVIDENCE CHAIN:
  • Ingestion points: scripts/ask_question.py and scripts/browser_session.py both ingest untrusted data by reading the inner text of DOM elements from Google NotebookLM pages.
  • Boundary markers: Absent. The skill returns raw content from the web page without delimiters or instructions to ignore embedded commands.
  • Capability inventory: The agent has the capability to execute browser automation (ask_question.py), manage a library of URLs (notebook_manager.py), and manage authentication sessions (auth_manager.py) through the run.py wrapper.
  • Sanitization: None. Content retrieved from the browser is returned to the agent without filtering or escaping.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:39 PM