nlm-skill

SUSPICIOUS: the skill is largely coherent and uses verifiable package-manager distribution, but it wraps undocumented NotebookLM APIs, handles raw Google session cookies, and includes transitive skill-installation plus public sharing/invite actions. This is not confirmed malicious, but it has meaningful trust and credential-handling risk beyond a normal documentation-only skill.