notebooklm
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a wrapper script (run.py) and setup utilities to manage its local environment. It utilizes the Python subprocess module to execute pip for dependency installation and to run the various automation scripts included in the skill. This is a standard pattern for multi-script local agent skills.
- [EXTERNAL_DOWNLOADS]: During initialization, the skill downloads required Python packages (patchright and python-dotenv) from the official PyPI registry and fetches the Google Chrome browser binary using the patchright library's built-in installer. These downloads are from trusted/well-known sources and are essential for browser automation.
- [PROMPT_INJECTION]: An indirect prompt injection surface exists because the skill retrieves and returns data from an external source (Google NotebookLM) to the AI agent.
- Ingestion points: The scripts/ask_question.py script scrapes text content from the NotebookLM web interface.
- Boundary markers: The scraped content is returned as a raw string without specific protective delimiters or 'ignore' instructions for the agent.
- Capability inventory: The skill possesses capabilities for local script execution, file system access to its own data directory, and network operations through browser automation.
- Sanitization: No automatic filtering or sanitization of the scraped text is performed prior to being returned to the agent context.
Audit Metadata