notebooklm
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill automatically downloads and installs Google Chrome binaries using the 'patchright' library during setup in 'scripts/setup_environment.py'. While necessary for browser automation, this involves downloading non-verified binaries from a non-trusted third-party package.
- COMMAND_EXECUTION (MEDIUM): The 'scripts/run.py' and 'scripts/setup_environment.py' scripts use 'subprocess.run' to execute shell commands for managing the virtual environment and installing dependencies.
- DATA_EXFILTRATION (MEDIUM): The skill stores and reads Google session cookies in 'data/browser_state/state.json'. This sensitive file access is required for persistent authentication but represents a local exposure of credentials.
- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection from data retrieved from NotebookLM documents. 1. Ingestion points: 'scripts/ask_question.py' (reads text from browser). 2. Boundary markers: Absent. 3. Capability inventory: 'run.py' (subprocess execution), 'notebook_manager.py' (file-write). 4. Sanitization: Absent; the raw response from NotebookLM is returned to the agent.
Audit Metadata