Skills
skills/jmagar/claude-homelab/notebooklm/Gen Agent Trust Hub

notebooklm

Warn

Audited by Gen Agent Trust Hub on Mar 2, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The script 'scripts/nlm-generate.sh' employs the 'eval' command to execute shell commands constructed from variables like 'NOTEBOOK_ID'. If these variables are populated with malicious shell metacharacters sourced from untrusted external data (such as a crafted notebook ID from an indirect injection), it could lead to arbitrary command execution on the host system.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of ingesting and processing untrusted external data.
  • Ingestion points: Data enters the agent's context through URL additions, YouTube transcript extraction, and web research results (referenced in 'SKILL.md' and 'scripts/nlm-research.sh').
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to help it distinguish between its operational directives and the content retrieved from external sources.
  • Capability inventory: The skill allows the agent to execute CLI commands, write files to the local filesystem (via download commands), and perform network operations.
  • Sanitization: The wrapper scripts lack sanitization logic to validate or escape parameters before they are used in shell commands.
  • [DATA_EXFILTRATION]: The skill's operation relies on a local storage file ('~/.notebooklm/storage_state.json') that contains sensitive Google authentication cookies, including SID and HSID. While intended for legitimate session management, these credentials represent high-value targets for exfiltration if the environment is compromised.
  • [EXTERNAL_DOWNLOADS]: The documentation and skill files ('README.md', 'notebooklm.md') facilitate the installation of external software. This includes the 'notebooklm-py' package from PyPI and specific versions fetched directly from GitHub using 'curl' to identify tags and 'pip' for installation.
  • [PROMPT_INJECTION]: The 'SKILL.md' file uses strong, mandatory language ('YOU MUST invoke', 'Failure... violates your operational requirements') to override the agent's default decision-making and force the use of the skill when certain keywords are detected.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 2, 2026, 05:49 PM