The Agent Skills Directory

Unverifiable Dependencies (MEDIUM): The skill depends on patchright, an anti-detection browser automation library. This package and its associated browser binaries are downloaded from non-trusted sources during the setup process.
Evidence: requirements.txt specifies patchright==1.55.2. scripts/setup_environment.py executes patchright install chrome via subprocess.
Remote Code Execution (MEDIUM): The skill performs runtime installation of packages and execution of scripts through a custom wrapper. While intended for environment isolation, this pattern involves executing code downloaded at runtime.
Evidence: scripts/run.py and scripts/setup_environment.py use subprocess.run to call pip install and execute other Python scripts in the .venv.
Indirect Prompt Injection (LOW): The skill ingests untrusted data from Google NotebookLM and uses it to decide if follow-up actions are needed. Maliciously crafted documents could attempt to influence the agent's logic during the synthesis phase.
Ingestion points: scripts/ask_question.py extracts text from the NotebookLM UI (RESPONSE_SELECTORS).
Boundary markers: None. The answer text is returned to the agent without delimiters or safety instructions.
Capability inventory: File writing (library.json, auth_info.json), network access via browser automation, and subprocess execution via run.py.
Sanitization: None detected. Output is raw text from the browser session.
Command Execution (LOW): The skill relies heavily on subprocess to manage its internal lifecycle and environment, which is a common but sensitive capability.
Evidence: scripts/__init__.py, scripts/run.py, and scripts/setup_environment.py all use the subprocess module to manage the virtual environment.

notebooklm