Skills
skills/joeseesun/anything-to-notebooklm/qiaomu-anything-to-notebooklm/Gen Agent Trust Hub

qiaomu-anything-to-notebooklm

Warn

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The install.sh script downloads and installs software from personal GitHub repositories that are not verified or listed as trusted organizations. Specifically, it installs notebooklm-py from github.com/teng-lin/notebooklm-py.git and clones wexin-read-mcp from github.com/Bwkyd/wexin-read-mcp.git. This represents a supply chain risk where the integrity of these external dependencies cannot be guaranteed.
  • [REMOTE_CODE_EXECUTION]: The skill downloads and executes remote scripts as part of its core logic. The installation process automatically fetches code that is subsequently run by the agent. Furthermore, the fetch_url.sh script utilizes various proxy services and tools (like agent-fetch) to retrieve and process remote content.
  • [COMMAND_EXECUTION]: Multiple components of the skill (main.py, check_env.py, scripts/get_podcast_transcript.py, install.sh) utilize subprocess.run and os.system to execute shell commands. These commands interact with external binaries such as curl, git, notebooklm, and lark-cli. While primarily used for orchestration, this pattern increases the attack surface if user-supplied inputs (like URLs or file paths) are not perfectly sanitized.
  • [DATA_EXFILTRATION]: The skill's primary function involves sending user-provided content (files, web articles, transcripts) to external services, including Google NotebookLM, Jina AI (r.jina.ai), and Get笔记 (openapi.biji.com). While these operations are documented as features, users should be aware that sensitive information from processed documents is transmitted to these third-party platforms.
  • [DYNAMIC_EXECUTION]: The check_env.py script uses the __import__ function to dynamically load Python modules. While used here for verifying the presence of dependencies, dynamic imports can be used to execute arbitrary code if the module names are controlled by an attacker.
  • [DATA_EXPOSURE]: The feishu-read-mcp component downloads images from processed documents and stores them in the /tmp/feishu_images directory. If the system's temporary directory is accessible by other users, this could lead to information exposure.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 1, 2026, 01:10 PM