The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): The scripts/setup_environment.py file automatically installs Python packages from requirements.txt and a browser via patchright install chrome at runtime. This dynamic installation and execution of external code lacks integrity verification.
CREDENTIALS_UNSAFE (HIGH): The skill implements a 'Hybrid Authentication' approach (documented in AUTHENTICATION.md) that saves active Google session cookies to data/browser_state/state.json. These cookies are manually injected into browser sessions, allowing the skill to operate with the user's full Google identity.
COMMAND_EXECUTION (MEDIUM): The scripts/run.py script acts as a wrapper that dynamically constructs and executes shell commands using subprocess.run to launch other scripts and manage the virtual environment.
EXTERNAL_DOWNLOADS (MEDIUM): During setup, the skill downloads binaries (Chrome) and third-party packages from PyPI. While these are from known registries, the automated nature and the use of the patchright anti-detection fork increase the risk profile.
PROMPT_INJECTION (LOW): SKILL.md includes several 'CRITICAL' instructions intended to override the agent's default behavior, such as 'STOP
Do not immediately respond to user' and 'NEVER call scripts directly'. These are used to enforce specific tool-use workflows.
INDIRECT_PROMPT_INJECTION (LOW): The skill possesses a significant attack surface for indirect prompt injection.
Ingestion points: ask_question.py receives untrusted user input via the --question argument and navigates to arbitrary URLs via --notebook-url.
Boundary markers: Absent. No delimiters or warnings are used when passing user-provided questions to the browser automation.
Capability inventory: Full browser automation via patchright on a logged-in Google account, plus the ability to execute local scripts via subprocess in run.py.
Sanitization: Absent. The input is passed directly to the browser typing engine in StealthUtils.human_type.

notebooklm