notebooklm

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests and acts on untrusted third-party web and user-generated content — e.g., source_add(type=url) (including YouTube) and research_start/research_import (workflow-research-discovery.md and SKILL.md examples) which NotebookLM then reads via notebook_query and studio_create to drive actions, creating a clear avenue for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly calls source_add(..., type="url") to fetch external webpages at runtime (e.g., "https://oauth.net/2.1/" and examples like "https://owasp.org/Top10/"), and those fetched pages are ingested as notebook sources that are injected into model context and directly influence generated responses, making them a required runtime dependency.