notebooklm
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill performs automated environment management by installing Python dependencies via
pipand downloading the Chromium browser using thepatchrightlibrary. These operations target standard package registries and official browser distributions. - [COMMAND_EXECUTION]: The skill relies on a
run.pywrapper to execute various automation scripts (ask_question.py,notebook_manager.py,auth_manager.py). It uses system commands to manage the virtual environment, install the browser, and clean up hanging processes (e.g.,pkill). These commands are necessary for the skill's browser-based automation functionality. - [PROMPT_INJECTION]: The skill retrieves source-grounded responses from Google NotebookLM and presents them to the agent for synthesis. This introduces a surface for indirect prompt injection if the source documents in the notebook contain malicious instructions. The skill lacks explicit boundary markers or sanitization logic for this external content.
- Ingestion points: Answers retrieved from NotebookLM via
ask_question.py(File:SKILL.md). - Boundary markers: Absent; the agent is instructed to stop, analyze, and synthesize based on the raw answer.
- Capability inventory: File system cleanup (
cleanup_manager.py), notebook library modification (notebook_manager.py), and shell script execution (run.py). - Sanitization: Absent; the skill trusts the grounded answers provided by the NotebookLM interface.
- [DATA_EXFILTRATION]: The skill manages sensitive Google session data (cookies and authentication info) locally within the
~/.claude/skills/notebooklm/data/directory. This data is used to maintain persistent authentication states. The documentation correctly instructs users to exclude this directory from version control using.gitignore, mitigating the risk of accidental exposure.
Audit Metadata