The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses subprocess.run in scripts/run.py, scripts/setup_environment.py, and scripts/__init__.py to automate environment management. It handles the creation of a virtual environment, installation of requirements, and execution of internal scripts as sub-processes.
[EXTERNAL_DOWNLOADS]: The skill downloads and installs third-party Python packages (patchright, python-dotenv) and browser binaries (Google Chrome) during its first-time setup phase. These operations are performed via pip and the patchright CLI to facilitate browser automation.
[PROMPT_INJECTION]: The skill processes untrusted output from external documents via NotebookLM query responses, which introduces a surface for indirect prompt injection. A malicious document could attempt to influence the agent's behavior through instructions embedded in the synthesized answers.
Ingestion points: Query responses are scraped from the NotebookLM UI using the .to-user-container .message-text-content selector in scripts/ask_question.py.
Boundary markers: The skill appends a FOLLOW_UP_REMINDER to the ingested text, instructing the agent to evaluate the response, but does not provide technical delimiters to isolate the untrusted content.
Capability inventory: The agent can execute scripts via the run.py wrapper, manage local JSON files, and automate browser interactions with network access.
Sanitization: There is no explicit sanitization or filtering of the retrieved text content before it is interpolated into the agent's context.
[CREDENTIALS_UNSAFE]: The skill manages Google authentication by capturing and storing browser cookies and session state in data/browser_state/state.json. While the skill instructions emphasize local storage and git exclusion, the handling of active session tokens for a Google account is a sensitive operation.

notebooklm