Skills
skills/jacob-bd/notebooklm-mcp-cli/nlm-skill/Snyk

nlm-skill

Fail

Audited by Snyk on Mar 3, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs extracting cookie headers from Chrome DevTools and passing them verbatim to mcp__notebooklm-mcp__save_auth_tokens(cookies="<cookie_header>"), which requires handling and embedding sensitive auth cookies/tokens directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill's workflows (SKILL.md and references/workflows.md) explicitly ingest public web and YouTube content via commands like "nlm source add --url 'https://...'" and "nlm research start 'query' --notebook-id --mode deep" and then use those imported sources to drive generation (e.g., nlm audio create, report create) and decisions, so untrusted third-party content can materially influence the agent's actions.
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 3, 2026, 07:07 AM