notebooklm-skill

SUSPICIOUS: the skill is purpose-aligned and uses mostly legitimate install channels, but it depends on an unofficial third-party client that handles Google authenticated session state and exposes sharing actions. No clear credential-harvesting endpoint or overt malware behavior is shown, yet the combination of undocumented API use, session file handling, and external sharing makes this a medium-risk automation skill rather than benign.