anything-to-notebooklm

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly fetches and ingests untrusted public content — e.g., 微信公众号 via the wexin-read-mcp MCP server, “任意网页链接”/YouTube URLs (Step 2: 获取内容), and WebSearch results — and then uploads and uses that content to drive NotebookLM generation commands, so third‑party content can materially influence the agent's actions and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installer and runtime require cloning and running remote code — e.g., install.sh/git clone of https://github.com/Bwkyd/wexin-read-mcp.git (MCP server's server.py is configured to be executed at runtime) and pip installing git+https://github.com/teng-lin/notebooklm-py.git (NotebookLM CLI installed/executed) — so these external git URLs are fetched and their code is executed as required dependencies.