opencode-notebooklm
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
notebooklm-mcp-clipackage from PyPI. This is a third-party dependency that is not associated with a known trusted organization. - [COMMAND_EXECUTION]: The instructions involve running shell commands to install software, log into services, and locate executable paths (
pip install,nlm login,which). It also requires modifying theopencode.jsonconfiguration file in the user's home directory (~/.config/opencode/opencode.json) to enable the MCP server functionality. - [PROMPT_INJECTION]: By integrating with Google NotebookLM, the agent processes external data which may contain untrusted content. This creates a surface for indirect prompt injection if the notebooks contain instructions intended to hijack the agent's logic.
- Ingestion points: Notebook content retrieved from Google NotebookLM via the
notebooklmMCP tool defined inSKILL.md. - Boundary markers: No boundary markers or specific "ignore" instructions are provided to the agent when processing retrieved notebook data.
- Capability inventory: The agent is granted the ability to list, read, and write notebooks using the
nlmcommand-line tool. - Sanitization: There is no evidence of content sanitization or validation before the agent processes the retrieved data.
Audit Metadata