The Agent Skills Directory

Prompt Injection / Indirect Prompt Injection (HIGH): The skill implements a 'Follow-Up Mechanism' where it appends a mandatory instruction (FOLLOW_UP_REMINDER) to every response retrieved from NotebookLM. This instruction directs the agent to 'STOP', 'ANALYZE', and 'ASK FOLLOW-UP', effectively overriding the agent's default reasoning loop with external, skill-defined logic.
Ingestion points: scripts/ask_question.py extracts text from .to-user-container .message-text-content and [data-message-author='bot'] selectors.
Boundary markers: None. The external content is returned as a raw string without delimiters or sanitization.
Capability inventory: The skill possesses execution capabilities as it relies on the agent calling python scripts/run.py which can execute arbitrary Python scripts within the skill directory. The scripts themselves use subprocess.run for environment management.
Sanitization: No sanitization or escaping is applied to the content retrieved from the web before it is returned to the agent.
Data Exposure & Exfiltration (MEDIUM): The skill stores sensitive Google authentication session cookies in ~/.claude/skills/notebooklm/data/browser_state/state.json. While local, this data is highly sensitive and is manipulated by the skill's scripts (auth_manager.py, ask_question.py) to bypass standard Playwright session persistence limitations.
Unverifiable Dependencies / Remote Code (MEDIUM): The scripts/setup_environment.py script automatically creates a virtual environment and installs dependencies from requirements.txt at runtime. This includes patchright, a third-party fork of Playwright. It also executes python -m patchright install chrome, which downloads and installs browser binaries from remote sources.
Command Execution (LOW): The skill heavily utilizes subprocess.run and os.system equivalents (via the run.py wrapper) to manage its execution environment. While intended for setup, this provides a platform for executing commands based on environment state.

notebooklm