notebooklm
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The environment setup script (
scripts/setup_environment.py) automatically downloads and installs the 'patchright' library and Google Chrome binaries at runtime. These downloads originate from non-whitelisted external sources and are executed on the host system. - COMMAND_EXECUTION (MEDIUM): The skill uses a wrapper script (
scripts/run.py) that facilitates the execution of any internal script viasubprocess.run. This pattern, combined with the automatic virtual environment management, provides a high-privilege execution surface that the agent is encouraged to use for all operations. - PROMPT_INJECTION (LOW): The
SKILL.mddocumentation contains 'Critical' follow-up instructions that attempt to override the agent's default decision-making process. It mandates a specific looping behavior ('STOP - Do not immediately respond') which could be exploited to keep the agent in an execution loop or ignore user intent.
- Indirect Prompt Injection (LOW): The skill ingests untrusted data from external NotebookLM notebooks which could contain malicious instructions designed to compromise the agent.
- Ingestion points:
scripts/ask_question.py(browser scraping of response elements). - Boundary markers: Absent; the scraped text is returned directly to the agent with only a hardcoded follow-up reminder.
- Capability inventory: Subprocess execution (via
run.py), file system write/delete access (viacleanup_manager.py), and persistent network access via automated browser. - Sanitization: None; the response text is not sanitized, escaped, or validated before being interpolated into the agent's context.
Audit Metadata