notebooklm
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill describes a 'Sub-Agent Delegation' pattern using
sessions_spawnwhere user-controlled strings, such as notebook IDs and generation prompts, are interpolated into task descriptions for sub-agents. This lacks boundary markers and sanitization, creating an indirect prompt injection surface. (Ingestion points: User-provided notebook IDs and task prompts in SKILL.md; Boundary markers: Absent; Capability inventory: Subprocess execution via scripts/notebooklm.py; Sanitization: Absent). - [COMMAND_EXECUTION]: The
scripts/notebooklm.pyscript forwards arguments to thenotebooklmbinary usingsubprocess.run. This allows the agent to execute any command supported by the underlying CLI tool. - [DATA_EXFILTRATION]: The skill documentation describes the management of
storage_state.json, which contains sensitive session cookies for authentication. While it advises on secure handling, the reliance on manual transfer and storage of session data increases the risk of exposure or unauthorized access. - [EXTERNAL_DOWNLOADS]: The README and installation guides recommend downloading the
notebooklm-pypackage and browser dependencies, including the use of high-privilegesudocommands for system library installation.
Audit Metadata