notebooklm
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [DATA_EXPOSURE]: The skill manages highly sensitive Google authentication session data stored locally in
~/.notebooklm/storage_state.json. While necessary for the tool's function, this file contains cookies that allow full access to the user's Google account session within NotebookLM. - [PROMPT_INJECTION]: The skill is inherently vulnerable to indirect prompt injection because its primary purpose is to ingest and process untrusted external content from URLs, YouTube transcripts, and uploaded documents.
- Ingestion points:
SKILL.mddefines multiple entry points for untrusted data via thenotebooklm source addcommand (supporting URLs, YouTube links, PDFs, and Google Drive files). - Boundary markers: The skill lacks explicit boundary markers or instructions to the agent to disregard instructions embedded within the source materials.
- Capability inventory: The agent has the capability to download generated artifacts to the local filesystem (
notebooklm download), share notebooks publicly (notebooklm share public), and add external collaborators (notebooklm share add), which could be abused if the agent is manipulated by injected instructions. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from external sources before it is processed by the AI.
- [EXTERNAL_DOWNLOADS]: The skill requires installation of the third-party Python package
notebooklm-pyand the Playwright browser automation framework, which downloads external browser binaries. - [COMMAND_EXECUTION]: The skill relies on executing a wide range of shell commands to interact with the NotebookLM service, which provides a broad capability set that could be misused if the agent's logic is compromised.
Audit Metadata