notebooklm
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The library includes logic to execute a user-defined shell command for refreshing authentication cookies. The command is retrieved from the
NOTEBOOKLM_REFRESH_CMDenvironment variable and executed viasubprocess.runwithshlex.split. This is an intended, opt-in feature for advanced automation workflows. - [EXTERNAL_DOWNLOADS]: The skill performs network operations to fetch data and download generated artifacts (audio, video, PDFs) from trusted Google-owned domains including
notebooklm.google.com,storage.googleapis.com, andgoogleusercontent.com. - [DATA_EXFILTRATION]: The skill manages highly sensitive Google session cookies required for authentication. These are stored locally in
~/.notebooklm/profiles/<profile>/storage_state.json. The implementation enforces restrictive file permissions (0o600, read/write by owner only) to protect these credentials. - [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from external URLs and web research results which are then processed by the NotebookLM backend and presented to the AI agent.
- Ingestion points: Data enters the agent's context through
notebooklm source addandnotebooklm source add-research(found insrc/notebooklm/_sources.pyandsrc/notebooklm/_research.py). - Boundary markers: The skill does not explicitly use markers or "ignore embedded instructions" warnings when processing external data.
- Capability inventory: The library can execute shell commands (via the auth refresh hook), perform network operations, and write files to the local system (
src/notebooklm/_core.py,src/notebooklm/_artifacts.py). - Sanitization: Content sanitization is primarily handled by the external Google NotebookLM service.
Audit Metadata