notebooklm
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill provides explicit instructions in
SKILL.mdto override the agent's standard interaction model. The "Follow-Up Mechanism" section commands the agent to "STOP", "do not immediately respond to user", and "REPEAT" queries until its research is complete, overriding default response patterns.\n- [COMMAND_EXECUTION]: Scripts such asask_api.pyandauto_add.pyutilizesubprocess.runwith theshell=Trueargument to execute system commands. This is a security anti-pattern that presents an injection risk if the command strings were to include untrusted input.\n- [EXTERNAL_DOWNLOADS]: Thesetup_environment.pyscript automatically downloads and installs the Google Chrome binary from external sources via thepatchright install chromecommand during the skill's environment preparation.\n- [DATA_EXFILTRATION]: To maintain persistent authentication, the skill captures and stores sensitive Google session cookies indata/browser_state/state.json. While this data remains local, the storage of decrypted session tokens creates a high-value target for credential exposure.\n- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection from processed documents.\n - Ingestion points: Content is retrieved from the NotebookLM web interface in
scripts/ask_question.pyusing DOM selectors.\n - Boundary markers: The skill does not use delimiters or specific safety instructions to isolate the retrieved content from the agent's reasoning process.\n
- Capability inventory: The skill allows the agent to execute arbitrary local Python scripts through the
run.pywrapper and perform filesystem operations viaupload_source.py.\n - Sanitization: There is no evidence of sanitization or filtering of the response text retrieved from the browser before it is returned to the agent.
Audit Metadata