The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill is susceptible to indirect prompt injection due to its handling of untrusted external content. 1. Ingestion points: remote_manager.py and ask_question.py take input via --url, --file, and --question flags. 2. Boundary markers: Absent; raw strings are passed directly to the browser automation layer. 3. Capability inventory: Extensive file system access and browser automation via Playwright. 4. Sanitization: Includes URL validation via regex and profile name sanitization to prevent path traversal.
[Data Exposure & Exfiltration] (LOW): The skill manages high-value Google authentication cookies (SID, HSID, etc.) in persistent Chrome profiles at ~/.config/claude/notebooklm-skill/. While this is required for the session management functionality, it creates a local repository of sensitive data.

notebooklm