notebooklm-skill
Warn
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill manages sensitive Google session data stored at
~/.notebooklm/storage_state.json. This file contains authentication cookies that grant access to the user's Google account session. It also supports using theNOTEBOOKLM_AUTH_JSONenvironment variable for authentication.\n- [EXTERNAL_DOWNLOADS]: The skill requires the installation ofnotebooklm-py, which is an unofficial, third-party Python package from the PyPI registry, along with the Playwright browser automation tool.\n- [COMMAND_EXECUTION]: All primary functions of the skill are performed by executing shell commands via thenotebooklmCLI tool, which handles notebook management and content generation.\n- [DATA_EXFILTRATION]: The skill is designed to transmit various data types, including local files, Google Drive content, and website URLs, to the external Google NotebookLM service.\n- [PROMPT_INJECTION]: The skill processes untrusted external data (URLs, PDFs, YouTube content) and uses it to generate AI outputs. There is a potential risk of indirect prompt injection if the source materials contain malicious instructions.\n - Ingestion points: Sources added via URLs, YouTube, local files, and Google Drive as described in SKILL.md.\n
- Boundary markers: None identified in the provided instructions to prevent the model from following instructions found within the processed sources.\n
- Capability inventory: File system access, network operations, and subprocess execution via the
notebooklmCLI.\n - Sanitization: No evidence of sanitization or filtering of external content before processing is mentioned.
Audit Metadata