notebooklm
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The script
setup_environment.pyautomatically downloads and installs a Google Chrome binary usingpatchright. This dependency is a non-standard fork and is not within the trusted source scope. - [REMOTE_CODE_EXECUTION] (HIGH): The skill performs remote code execution by downloading and running a browser installer (
python -m patchright install chrome) during the environment setup phase. This allows for the execution of arbitrary binaries on the host system. - [PROMPT_INJECTION] (HIGH): The script
ask_question.pyappends a hardcoded directive (FOLLOW_UP_REMINDER) to the output retrieved from the external website. This instruction uses high-priority markers ('EXTREMELY IMPORTANT') to force the agent into a specific behavioral loop, which is a signature of control-hijacking injections. - [COMMAND_EXECUTION] (MEDIUM): The skill relies on a centralized
run.pywrapper that usessubprocess.runto dynamically execute Python scripts. This structure increases the attack surface for command injection if arguments are improperly handled. - [DATA_EXFILTRATION] (MEDIUM): The authentication architecture explicitly extracts and stores Google session cookies in a local
state.jsonfile. While documented for 'session persistence', this creates a high-value target for exfiltration of sensitive credentials.
Recommendations
- AI detected serious security threats
Audit Metadata