notebooklm
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (LOW): The skill utilizes emphatic instructional markers (e.g., 'EXTREMELY IMPORTANT', 'Required Claude Behavior', 'CRITICAL') to steer the AI agent into an iterative retrieval loop. While these instructions are designed to ensure comprehensive research, they use patterns typical of prompt injection to override the agent's default response behavior.
- External Downloads (SAFE): The skill automatically installs dependencies into a local virtual environment during its first execution. This includes the 'patchright' automation framework and a full version of Google Chrome. These downloads are necessary for the skill's primary function of browser automation and are pinned to specific versions in requirements.txt.
- Command Execution (SAFE): A 'run.py' wrapper is used to execute all skill scripts, ensuring they run within the correct virtual environment. The skill also executes internal setup commands to manage the environment and browser drivers.
- Indirect Prompt Injection (LOW): The skill scrapes content from external web pages (NotebookLM) and incorporates it into the agent's context, creating a potential vector for indirect prompt injection.
- Ingestion points:
scripts/ask_question.pyandscripts/browser_session.py(scrapes text from DOM elements via RESPONSE_SELECTORS). - Boundary markers: Absent. Scraped text is returned directly to the agent without delimiters or instructions to ignore embedded commands.
- Capability inventory: Subprocess execution via
run.py, local file system access for library/auth management, and persistent network access via browser automation. - Sanitization: Absent. Extracted text is not sanitized or filtered for instructions before being returned.
Audit Metadata