notebooklm
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill employs a
run.pywrapper script to execute internal Python automation scripts. This ensures all operations occur within a dedicated, isolated virtual environment (.venv). - [EXTERNAL_DOWNLOADS]: During its first-time setup, the skill automatically installs required Python dependencies (such as
patchrightandpython-dotenv) from PyPI. It also downloads a compatible version of the Google Chrome browser using thepatchrightautomation library. - [PROMPT_INJECTION]: The skill possesses an attack surface for Indirect Prompt Injection because it retrieves and processes text from external NotebookLM sources. If a notebook contains instructions intended to manipulate an AI agent, those instructions could be ingested into the agent's context. This is a standard risk for skills that read from external, potentially untrusted knowledge bases.
- [DATA_EXFILTRATION]: The skill manages sensitive Google session data, including cookies and browser profiles. These are stored strictly within the local
data/directory. The skill uses.gitignoreto prevent this sensitive data from being accidentally shared or committed to version control. - [CREDENTIALS_UNSAFE]: Google authentication is handled through a visible browser window, facilitating a secure manual login process. This ensures that the user's Google credentials are not directly accessible to the skill's automation scripts.
- [COMMAND_EXECUTION]: The virtual environment management scripts (
scripts/__init__.pyandscripts/setup_environment.py) usesubprocess.runto manage package installations and browser setup. These calls are part of the skill's infrastructure and do not process arbitrary, unsanitized user input.
Audit Metadata