notebooklm
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PERSISTENCE_MECHANISMS]: Documentation in
README.mdandQUICKSTART_CN.mdexplicitly instructs users to modify shell configuration files such as~/.bashrcand~/.zshrcto permanently change the system PATH environment variable. - [PRIVILEGE_ESCALATION]: The installation guide recommends using
sudofor system dependencies and the--break-system-packagesflag for pip, which bypasses operating system protections designed to maintain environment stability. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill manages authentication via
storage_state.json, which contains sensitive session cookies. The documentation encourages manual copying and movement of this file between machines, increasing the risk of credential exposure. - [COMMAND_EXECUTION]: The core script
scripts/notebooklm.pyusessubprocess.runto execute commands, forwarding arguments directly from the agent's input to the shell. - [INDIRECT_PROMPT_INJECTION]: The sub-agent delegation strategy defined in
SKILL.mdfacilitates an attack surface where user-controlled strings, such as notebook IDs or task descriptions, are interpolated into shell scripts. - Ingestion points: User-provided notebook IDs and task parameters in
SKILL.md. - Boundary markers: No delimiters or protective escape sequences are used in the provided command templates.
- Capability inventory: Arbitrary shell command execution via
subprocess.runinscripts/notebooklm.pyacross all tool functionalities. - Sanitization: No evidence of input validation or sanitization is present in the wrapper script.
- [DYNAMIC_EXECUTION]: The Python wrapper dynamically determines the binary to execute using the
NOTEBOOKLM_BINenvironment variable, which could allow for the execution of unauthorized binaries if the environment is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata