notebooklm
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies] (HIGH): The skill uses a wrapper script (scripts/run.py) that automatically creates a virtual environment and installs dependencies via pip and browser binaries using 'patchright' upon first run. This execution of an unverified installation process allows for potential code execution during the setup phase.
- [Indirect Prompt Injection] (HIGH): The 'Follow-Up Mechanism' instructs the agent to analyze external content (NotebookLM answers) and automatically execute further commands based on those results. This creates a high-risk feedback loop where malicious instructions embedded in a notebook could influence the agent to perform unintended actions.
- [Command Execution] (MEDIUM): The skill relies on complex shell command sequences where arguments (like notebook names and descriptions) are derived from external notebook content during 'Smart Add' and 'Follow-up' workflows.
- [Data Exposure] (MEDIUM): Sensitive browser session data, including cookies and authentication state, are stored in the local file system at ~/.claude/skills/notebooklm/data/, which represents a sensitive data store.
Recommendations
- AI detected serious security threats
Audit Metadata