Skills
skills/erafat/skills/anything-to-notebooklm/Gen Agent Trust Hub

anything-to-notebooklm

Warn

Audited by Gen Agent Trust Hub on Apr 26, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The installation process fetches code from external GitHub repositories that are not recognized as trusted sources.
  • install.sh clones the repository https://github.com/Bwkyd/wexin-read-mcp.git for WeChat extraction.
  • install.sh installs the Python package notebooklm-py directly from https://github.com/teng-lin/notebooklm-py.git.
  • [REMOTE_CODE_EXECUTION]: The skill is designed to run external scripts as part of its core functionality.
  • It executes a Python server script (server.py) from the cloned wexin-read-mcp repository to operate as an MCP server.
  • check_env.py utilizes __import__ for dynamic module loading during environment verification.
  • [COMMAND_EXECUTION]: The skill frequently invokes shell commands to perform file conversions and interact with CLI tools.
  • It calls markitdown for document conversion, using arguments derived from user-provided file paths.
  • It executes the notebooklm CLI tool for creating notebooks and uploading sources.
  • Shell commands in check_env.py use subprocess.run to verify tool versions and authentication status.
  • [DATA_EXFILTRATION]: The skill facilitates the transfer of local user data to an external AI service.
  • Local documents (PDF, DOCX, EPUB, images) are converted to text and uploaded to Google's NotebookLM platform.
  • The check_env.py and install.sh scripts access the user's local Claude configuration file (~/.claude/config.json) to verify settings.
  • [PROMPT_INJECTION]: The skill processes untrusted content from the web and local files, posing a risk of indirect prompt injection.
  • Ingestion points: The skill fetches content from WeChat articles, YouTube transcripts, and various user-provided document formats.
  • Boundary markers: The instructions in SKILL.md do not define clear delimiters or "ignore previous instructions" warnings for the processed content before it is uploaded to the AI service.
  • Capability inventory: The skill has significant capabilities including network access, file reading/writing, and shell command execution across multiple files.
  • Sanitization: There is no evidence of sanitization, filtering, or validation of the ingested content before it is processed by the AI.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 26, 2026, 09:05 AM