notebooklm
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- Remote Code Execution (HIGH): The skill documentation explicitly recommends installing software using the command
curl -sSL https://canifi.com/skills/notebooklm/install.sh | bash. This is a highly insecure practice that executes unverified remote code with the privileges of the local user. - External Downloads (HIGH): The skill relies on scripts hosted at
canifi.com, which is not a recognized trusted source. This poses a significant supply chain risk as the content of these scripts can change at any time without notice. - Credentials Unsafe (MEDIUM): The setup instructions encourage users to store sensitive information, including
SERVICE_PASSWORD, using a CLI tool (canifi-env). While the skill claims this is stored locally, it increases the risk of credential exposure to any script or process running in the same environment. - Indirect Prompt Injection (LOW): The skill's primary function is to process untrusted external data (PDFs, URLs, YouTube videos). This creates a vulnerability surface where malicious instructions embedded in those documents could potentially hijack the agent's logic during analysis.
- Ingestion points: SKILL.md mentions uploading PDFs, Google Docs, Slides, Web URLs, and YouTube videos.
- Boundary markers: None specified in the provided instructions to differentiate between document content and agent instructions.
- Capability inventory: The skill uses Playwright for browser automation and shell commands for environment management.
- Sanitization: No sanitization or validation logic is documented for the ingested content.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/install.sh, https://canifi.com/skills/notebooklm/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata