notebooklm
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The
run.pywrapper and setup instructions perform automated installation of Python dependencies and Chromium browser binaries via thepatchrightlibrary. These operations fetch and execute code from external registries. - COMMAND_EXECUTION (MEDIUM): The skill instructs the agent to build shell commands using strings dynamically retrieved from NotebookLM (e.g., the 'Smart Discovery' workflow). If the retrieved notebook content contains shell metacharacters and the underlying scripts lack robust sanitization, it could lead to arbitrary command execution on the host.
- CREDENTIALS_UNSAFE (MEDIUM): The skill stores sensitive Google authentication session data, including cookies and browser state, in
~/.claude/skills/notebooklm/data/. This local storage of persistent authentication tokens represents a risk if the filesystem is compromised or if other skills have access to the same directory. - INDIRECT_PROMPT_INJECTION (LOW): The skill ingests untrusted data from Google NotebookLM and uses it to drive agent logic and command arguments. (1) Ingestion points:
ask_question.py(external notebook content). (2) Boundary markers: None specified in the CLI interpolation patterns. (3) Capability inventory: Subprocess execution viarun.py, network access, and filesystem writes. (4) Sanitization: No sanitization or escaping logic for notebook-sourced strings is described in the provided skill context.
Audit Metadata