notebooklm
Warn
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The documentation indicates that the
scripts/run.pywrapper automatically creates a virtual environment and installs necessary software dependencies from external registries at runtime. - [CREDENTIALS_UNSAFE]: To maintain persistent authentication, the skill stores browser session data and cookies in the
~/.claude/skills/notebooklm/data/browser_state/directory. These are sensitive session credentials that could be accessed by other local processes. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection when processing notebook content from external sources.
- Ingestion points: Data enters the context via the output of
scripts/ask_question.py, which fetches answers derived from documentation uploaded to the Google NotebookLM service. - Capability inventory: The agent has the capability to execute shell commands and management scripts via the
scripts/run.pywrapper. - Boundary markers: There are no specified boundary markers or instructions to treat external data as untrusted content, increasing the risk that the agent may follow instructions embedded within the notebook documents.
- Sanitization: No sanitization or validation of the text retrieved from the external service is described before the agent synthesizes the information into its final response.
Audit Metadata